[Zope-dev] Re: Patch for attribute permisions problems in Zope 2.7.3

[Santi Camps]

En/na Tres Seaver ha escrit:
|
| Now, accessed and container are always the same, and in some cases
| should be different.   I attach a patch to solve this case that works
| for me.  I'm not sure if my code is the best way to solve the problem
| but, as I said, it seems to work fine.
| Of course, If the patch is accepted, the same change should be done in
| the C version.
Jim and I worked through this, and ended up putting back the use of
'aq_acquire' to do the validation, precisely becuase *it* knows what the
real container is (from guarded_getattr, you have to guess).  Please
verify that the head of the 2.7 branch resolves the issues you found.
Yes, works fine for me !!  

Thanks very much for your work on this issue.  I'm sorry I let it slide
so long,
Tres.
No, thanks to you for your great work.  It's really impresive.   The 
minimum I could do is try to help when I can.

Regards
Santi Camps
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: Patch for attribute permisions problems in Zope 2.7.3

[Tres Seaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Santi Camps wrote:
| We have been written last week about some attribute permission problems
| with Zope 2.7.3 beta due to a patch applied by Tres.
| First of all, Tres, apologies for my too fast written test case and my
| too late test of Zope 2.7.3.   Now, with some more time, I've tested and
| debugged on Zope 2.7.3 and found exactly what's happen.
| Supose we have a structure of objects like this:A.__of__(B)
| A inherits from Acquisition.Implicit, has security assertions, but has
| not __allow_access_to_unprotected_subojects__
| We want to access, from a Zope Page Template, an attribute of B that
| is not present in A
| Accessing B.our_attribute attribute works fine.   But accessing
| A.__of__(B).our_attribute fails, and should work.
|
| The problem is the call to validate done in guarded_getattr method
| of ImplPython.py.  The actual call is if validate(inst, inst, name,
| v), but the validate function says:
|
| Arguments:
|accessed -- the object that was being accessed
|container -- the object the value was found in
|name -- The name used to access the value
|value -- The value retrieved though the access.
|roles -- The roles of the object if already known.
|
| Now, accessed and container are always the same, and in some cases
| should be different.   I attach a patch to solve this case that works
| for me.  I'm not sure if my code is the best way to solve the problem
| but, as I said, it seems to work fine.
| Of course, If the patch is accepted, the same change should be done in
| the C version.
Jim and I worked through this, and ended up putting back the use of
'aq_acquire' to do the validation, precisely becuase *it* knows what the
real container is (from guarded_getattr, you have to guess).  Please
verify that the head of the 2.7 branch resolves the issues you found.
Thanks very much for your work on this issue.  I'm sorry I let it slide
so long,
Tres.
- --
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation  Zope Dealers   http://www.zope.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD4DBQFCFWSEGqWXf00rNCgRAtxAAJisR/4jFULrp9Lyd9mvubtF1y8MAJsE0/Vy
NTXbqXc+olXYl3SVxiWW8w==
=1hOE
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )