[Zope3-Users] Security Problem in z3c.layer/pagelet

Hermann Himmelbauer dusty at qwer.tk
Wed Feb 6 14:02:38 EST 2008

During the development of my application I suddenly noticed that my 
context-objects had no security proxy around them, which is bad, as then data 
is open to everyone.

After searching and fiddling around, I recognized that this happens when I use 
a layer/skin that inherits from z3c.layer.pagelet.IPageletBrowserLayer. If I 
inherit from e.g. zope.publisher.interfaces.browser.IBrowserRequest, things 

To prove this, I attached a minimal demonstration to this mail - in the 
__init__.py file, the offending code is demonstrated. After installing and 
adding the object via the ZMI, one can access these links:


It can be seen, that the second link, which is based on a skin inheriting from 
the IPageletBrowserLayer, has no security proxies around the context.

Interestingly, I develop another application, which is also based on 
IPageletBrowserLayer which does not suffer from this problem, so I don't 
really understand what's happening. I tried to debug the problem but I was 
stuck at the implementation of queryMultiAdapter which seems to somehow 
magically remove the security Proxy.

I tested this with Python 2.4.4, Zope-3.4.0b2 and Zope-3.4.0c1 and the current 
SVN-versions of z3c.layer.

Do you have any clue how to solve this problem?

Best Regards,

hermann at qwer.tk
GPG key ID: 299893C7 (on keyservers)
FP: 0124 2584 8809 EF2A DBF9  4902 64B4 D16B 2998 93C7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: myapp.tgz
Type: application/x-tgz
Size: 2283 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope3-users/attachments/20080206/771c0d74/myapp.bin

More information about the Zope3-users mailing list