Update of /cvs-repository/Packages/AccessControl In directory cvs.zope.org:/tmp/cvs-serv19057/lib/python/AccessControl
Modified Files: Tag: Zope-2_7-branch ZopeGuards.py Log Message: Hotfix_20050405: prevent untrusted code from shadowing roles on protected methods of base classes. === Packages/AccessControl/ZopeGuards.py 1.16.2.4 => 1.16.2.5 === --- Packages/AccessControl/ZopeGuards.py:1.16.2.4 Fri Jan 7 17:03:59 2005 +++ Packages/AccessControl/ZopeGuards.py Tue Apr 5 17:17:44 2005 @@ -338,6 +338,9 @@ # This metaclass supplies the security declarations that allow all # attributes of a class and its instances to be read and written. def _metaclass(name, bases, dict): + for k, v in dict.items(): + if k.endswith('__roles__') and k[:len('__roles__')] not in dict: + raise Unauthorized, "Can't override security: %s" % k ob = type(name, bases, dict) ob.__allow_access_to_unprotected_subobjects__ = 1 ob._guarded_writes = 1 _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins