[Zope-dev] Re: Was: Re: 2.7.3 beta attribute permission problems

Tres Seaver tseaver at zope.com
Sat Oct 23 18:03:10 EDT 2004 

Andreas Jung wrote:
> 
> 
> --On Freitag, 22. Oktober 2004 8:38 Uhr -0400 Tres Seaver 
> <tseaver at zope.com> wrote:
> 
>> Andreas Jung wrote:
>>
>>> how severe is the problem that you have fixed? According to some
>>> rumors the fix seems to break applications. The question for Zope
>>> 2.7.3 final is: is the problem severe enough to have it fixed for
>>> 2.7.3 with the risk of causing trouble with broken applications or
>>> can we defer the fix to Zope 2.8?
>>
>>
>> -1.
>>
>> I have yet to get a reproducible test case (one which breaks on 2.7-head
>> but works on 2.7.2) from the examples folks have supplied.  The bug which
>> I was fixing is a security issue, reported against CMF, but also
>> affecting Zope:  http://zope.org/Collectors/CMF/259
>>
>> Given that the change was required to implement a security fix, and
>> without a reproducible test case for the reported breakage, I don't think
>> we can credit the rumors.  We *definitely* don't want to defer the
>> security fix.
> 
> I am not against the patch...I just need to know what the state of this 
> issue is and what its
> implications are for the final 2.7.3 release :-)

OK, here is my take, rephrased:  the patch is there to support an 
important security fix (see the link above).  Without a reproducible 
test case (I've tried and failed to make Stefan's reproducible within 
the AccessControl tests), we should just go forward and release 2.7.3.

Applications which use 'setDefaultAccess("deny")' for their content 
objects may need to quit trying to acquire CMF tools implicitly (using 
'getToolByName' instead, which is the preferred API anyway);  that is 
the only case I know of which can be isolated.

Richard Jones reported an issue with the patch, but couldn't give us a 
simple case.  Users who *have* such weird applications can reverse the 
patch, find workarounds, or whatever, until they can help us isolate the 
bug.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

More information about the Zope-Dev mailing list