Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-18 Thread Stuart Bishop
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/01/2004, at 10:34 AM, Jim Fulton wrote: I I'm pretty sure that I can redo the way we protect dictionaries and lists so that we can provide backward compatability. If I can do this, I will, because backward compatability *is* important, especial

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-18 Thread Jim Fulton
Dieter Maurer wrote: Jim Fulton wrote at 2004-1-16 18:54 -0500: ... For security checks, the accessed object should be the driving factor and not the particular way the access is made. Well, sorry, that's not what this is about. We are talking about what to do when accessing objects without ro

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-17 Thread Dieter Maurer
Jim Fulton wrote at 2004-1-16 18:54 -0500: > ... >> For security checks, the accessed object should be the driving factor >> and not the particular way the access is made. > >Well, sorry, that's not what this is about. We are talking about what >to do when accessing objects without roles. The

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-16 Thread Jim Fulton
Dieter Maurer wrote: Jim Fulton wrote at 2004-1-15 17:23 -0500: BTW, telling me that an algorithm has changed doesn't constitute a use case. :) I know that algorithm has changed. I assert that we don't need the feature that the change broke. I am open to evidence to the contrary. Do you have a

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-16 Thread Jim Fulton
Jim Fulton wrote: Stuart Bishop wrote: ... It was never intended that the ability to control unprotected sub-objects by name would apply to items. It was sloppy coding on my part that item indexes (yes, indexes, like, say, 1) and keys were passed as names. I can certainly understand why peopl

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-16 Thread Jim Fulton
Stuart Bishop wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/01/2004, at 9:23 AM, Jim Fulton wrote: Dieter Maurer wrote: Jim Fulton wrote at 2004-1-15 10:03 -0500: ... Right. The name attribute was intended for attribute-based access. IMO, it makes no sense to consider key values whe

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-16 Thread Jim Fulton
Dieter Maurer wrote: Jim Fulton wrote at 2004-1-15 17:23 -0500: ... None should never be passed for attribute accesses. If it is, then there is a bug. The case of dictionary mapping names to whatever is for attribute access. We are talking about item/key access. I haven't seen a use case for nee

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-16 Thread Stuart Bishop
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/01/2004, at 9:23 AM, Jim Fulton wrote: Dieter Maurer wrote: Jim Fulton wrote at 2004-1-15 10:03 -0500: ... Right. The name attribute was intended for attribute-based access. IMO, it makes no sense to consider key values when doing security checks

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-15 Thread Dieter Maurer
Jim Fulton wrote at 2004-1-15 17:23 -0500: >BTW, telling me that an algorithm has changed doesn't constitute >a use case. :) I know that algorithm has changed. I assert that >we don't need the feature that the change broke. I am open >to evidence to the contrary. Do you have a convincing reason

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-15 Thread Dieter Maurer
Jim Fulton wrote at 2004-1-15 17:23 -0500: > ... >None should never be passed for attribute accesses. If it is, >then there is a bug. The case of dictionary mapping names to >whatever is for attribute access. We are talking about item/key >access. I haven't seen a use case for needing to specify

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-15 Thread Jim Fulton
Dieter Maurer wrote: Jim Fulton wrote at 2004-1-15 10:03 -0500: ... Right. The name attribute was intended for attribute-based access. IMO, it makes no sense to consider key values when doing security checks. I will let Jim comment on your use case. What use case? I missed it. Where is it? "Ac

[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-15 Thread Tres Seaver
Dieter Maurer wrote: Jim Fulton wrote at 2004-1-15 10:03 -0500: ... Right. The name attribute was intended for attribute-based access. IMO, it makes no sense to consider key values when doing security checks. I will let Jim comment on your use case. What use case? I missed it. Where is it? "Ac

Re: [Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-15 Thread Dieter Maurer
Jim Fulton wrote at 2004-1-15 10:03 -0500: > ... >Right. The name attribute was intended for attribute-based access. > >IMO, it makes no sense to consider key values when doing security >checks. > >> I will let Jim comment on your use case. > >What use case? I missed it. Where is it? "AccessContr

[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-15 Thread Jim Fulton
Tres Seaver wrote: Jim Fulton wrote: Tres Seaver wrote: I will let Jim comment on your use case. What use case? I missed it. Where is it? Here is Stuart's original post: This has the side effect of not passing the name attribute to my security assertion methods registered via ClassSecurityI

[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-15 Thread Tres Seaver
Jim Fulton wrote: Tres Seaver wrote: I will let Jim comment on your use case. What use case? I missed it. Where is it? Here is Stuart's original post: This has the side effect of not passing the name attribute to my security assertion methods registered via ClassSecurityInfo.setDefaultAccess: c

[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-15 Thread Jim Fulton
Tres Seaver wrote: Stuart Bishop wrote: On 13/01/2004, at 4:19 PM, Stuart Bishop wrote: The 'security audit work for the 2.7 branch' commit on 8th Jan made the following change in PageTemplates/Expression.py: As well as in other locations such as ZopeGuards.py. I've opened http://collector.zop

[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

2004-01-15 Thread Tres Seaver
Stuart Bishop wrote: On 13/01/2004, at 4:19 PM, Stuart Bishop wrote: The 'security audit work for the 2.7 branch' commit on 8th Jan made the following change in PageTemplates/Expression.py: As well as in other locations such as ZopeGuards.py. I've opened http://collector.zope.org/Zope/1182 wit