[Zope3-checkins] SVN:
Zope3/trunk/src/zope/app/security/_protections.py The code in
this module worked for tests but was broken for actual Zope
instances. This caused Messages to be security proxied, which
can cause surprising and undesirable effects. Fixed with the
most obvious hack around the problem, but this is not ideal.
There was a discussion earlier on how to fix this the 'right' way;
using an artifact of our testing framework to bootstrap a zope
instance, as I am doing here, is not acceptable for a release.
A revert to the previous (broken for tests, but with a
workaround) behavior would be preferable than using _clear.
Stephan Richter
srichter at cosmos.phy.tufts.edu
Wed Oct 26 17:22:53 EDT 2005
On Wednesday 26 October 2005 17:31, Gary Poster wrote:
> Changed:
> U Zope3/trunk/src/zope/app/security/_protections.py
>
> -=-
> Modified: Zope3/trunk/src/zope/app/security/_protections.py
> ===================================================================
> --- Zope3/trunk/src/zope/app/security/_protections.py 2005-10-26 21:26:52
> UTC (rev 39657) +++
> Zope3/trunk/src/zope/app/security/_protections.py 2005-10-26 21:31:04 UTC
> (rev 39658) @@ -37,6 +37,9 @@
> zope.security.checker.BasicTypes[MessageID] = NoProxy
> # this, however, is not a security hole, because Messages are
> immutable. zope.security.checker.BasicTypes[Message] = NoProxy
> + zope.security.checker._clear() # XXX The BasicTypes approach requires
> + # _clear be called. This is not a good idea. This should be
> addressed + # before release.
Why do we need _clear() here? This does not make sense. _clear() does nto
affect BasicTypes at all.
Regards,
Stephan
--
Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
More information about the Zope3-Checkins
mailing list