[Zope] Re: Re: Re: Blocking Sibling inheritance
Malcolm Cleaton
malcolm at jamkit.com
Thu Mar 10 05:07:37 EST 2005
On Wed, 09 Mar 2005 19:23:53 +0100, Dieter Maurer wrote:
> Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
>>The issue can be worked around more easily than this. It is only the magic
>>"Authenticated" role which appears to suffer from this problem.
>
> It should not be necessary:
>
> A user should not be able to access any *protected* (!) object
> outside the subhierarchy governed by the user folder
> that authenticated the user.
>
> But maybe, we have a bug (and "aq_inContextOf" does not work
> as expected).
Yes, this shouldn't be necessary, and it looks like it's a bug.
Looks to me like the bug is in User.py's allowed method. Quite simply,
when it checks for the Authenticated role, it doesn't call
self._check_context, so never attempts to detect and foil acquisition
tricks. Unless I'm missing something, it should be a quick and easy fix.
Thanks,
Malcolm.
--
[] j a m k i t
web solutions for charities
malcolm cleaton
T: 020 7549 0520
F: 020 7490 1152
M: 07986 563852
W: www.jamkit.com
More information about the Zope
mailing list