[Zope] security - am I going crazy ?
Shane Hathaway
shane@digicool.com
Fri, 08 Dec 2000 13:48:49 -0500
Aleksander Salwa wrote:
> Few days ago I found that on site that I'm currently working on,
> everybody can add DTMLMethods and Documents (and maybe do more, I haven't
> checked yet, but I think it's bad enough !) by simply entering URL
> http://www.mysite.com/manage_addDTMLMethod?id=q1&title=qq1&file=qqq1
You're right. It's because of a "legacy" issue. Here's a quick patch
that plugs the hole:
Index: ProductContext.py
===================================================================
RCS file: /cvs-repository/Zope2/lib/python/App/ProductContext.py,v
retrieving revision 1.27
diff -u -r1.27 ProductContext.py
--- ProductContext.py 2000/11/20 15:36:35 1.27
+++ ProductContext.py 2000/12/08 18:46:38
@@ -195,7 +195,7 @@
else: name=method.__name__
if not OM.__dict__.has_key(name):
setattr(OM, name, method)
- setattr(OM, name+'__roles__', pr)
+ setattr(OM, method.__name__+'__roles__', pr)
if type(initial) is tt: name, initial = initial
else: name=initial.__name__
This is not perfect, however. I'm working on a better solution.
Shane