[Zope3-dev] URLGetter security declaration: changing from zope.View
to zope.Public
Gary Poster
gary at zope.com
Mon Sep 4 11:08:30 EDT 2006
In zope/app/publisher/http.zcml we have
<class class="zope.publisher.http.URLGetter">
<require
permission="zope.View"
attributes="get __getitem__ __str__" />
</class>
I think this should be zope.Public. Otherwise unauthorized users
viewing an untrusted page template will get errors from a template
that tries to do things like tal:attributes="action request/URL".
A non-public permission is particularly problematic because URLGetter
doesn't have an __parent__ attribute; therefore, there's no context
for someone to *get* zope.View in the current public zope 3 security
policies (and even then, the context would be request, and where
should *it* get a security context?)
Objections? I probably won't port this back to 3.3 unless folks
request it, since I'm not sure if it is a bugfix (port) or a policy
change (don't port).
I'm going to change this in the trunk now.
Gary
More information about the Zope3-dev
mailing list