Hi! Marius Gedminas schrieb: > (Adding Cc: [email protected] back) > Sorry. The default reply-to of the ML should be set to avoid this :-) > >> Case A) : >> -> import pdb; pdb.set_trace() >> (Pdb) type(self.context) >> <class 'inqbus.booking.engine.app.BookingEngine'> >> > > That's weird -- there's no proxy on the context. > > >> Case B): >> -> import pdb; pdb.set_trace() >> (Pdb) type(self.context) >> <type 'zope.security._proxy._Proxy'> >> (Pdb) self.context >> <inqbus.booking.engine.app.BookingEngine object at 0xa3b19ac> >> >> OK. This is the problem. But why is there NO security context in Case A? >> > > In an unrelated thread on zope-dev today I learned that > z3c.layer.pagelet version 1.0.1 has a security bug where it unwraps > security proxies from traversed objects. Are you using that version of > that package by any chance? > I use drwxr-xr-x 4 volker volker 4096 30. Mär 17:35 z3c.layer-0.3.1-py2.6.egg drwxr-xr-x 4 volker volker 4096 30. Mär 17:35 z3c.macro-1.2.1-py2.6.egg drwxr-xr-x 4 volker volker 4096 30. Mär 17:35 z3c.pagelet-1.2.0-py2.6.egg
which seems far away of the version you are mention. > > The default is to be secure -- raise ForbiddenAttribute on any attribute > access. > Ok. In this case the issue is not only weird it is sort of security hole. How can I proceed further to identify the problem? Please guide me what to checks I can perform to shed more light into this. Best Regards, Volker _______________________________________________ bluebream mailing list [email protected] https://mail.zope.org/mailman/listinfo/bluebream
