Re: [Zope-dev] ZCatalog and indexes cleanup
On 29.06.09 19:33, yuppie wrote: > Hi Andreas! > > > Andreas Jung wrote: > >> On 29.06.09 12:48, yuppie wrote: >> >>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex >>> >>> All the other indexes don't have security declarations. AFAICS there is >>> no way to access indexes from untrusted code without having the 'Manage >>> ZCatalogIndex Entries' permission. >>> >>> >> I think that all index implementation should have security assertions?! >> > Why? > > '_catalog.indexes' is protected by the underscore and using the > 'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only > additional security restrictions would have any effect. > > Or am I missing a security hole? Not sure. I created a catalog /catalog and an index 'my_index'. Within a debug shell: >>> app.catalog.Indexes['my_index'] >>> app.unrestrictedTraverse('catalog/Indexes/my_index') >>> app.restrictedTraverse('catalog/Indexes/my_index') Traceback (most recent call last): File "", line 1, in ? File "/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py", line 301, in restrictedTraverse return self.unrestrictedTraverse(path, default, restricted=True) File "/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py", line 236, in unrestrictedTraverse next = guarded_getattr(obj, name) AccessControl.unauthorized.Unauthorized: You are not allowed to access 'Indexes' in this context h... Andreas begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. & Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog and indexes cleanup
Hi Andreas! Andreas Jung wrote: > On 29.06.09 12:48, yuppie wrote: >> 3.) remove security declarations from ZCTextIndex and DateRangeIndex >> >> All the other indexes don't have security declarations. AFAICS there is >> no way to access indexes from untrusted code without having the 'Manage >> ZCatalogIndex Entries' permission. >> > > I think that all index implementation should have security assertions?! Why? '_catalog.indexes' is protected by the underscore and using the 'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only additional security restrictions would have any effect. Or am I missing a security hole? Cheers, Yuppie ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog and indexes cleanup
On 29.06.09 12:48, yuppie wrote: > Hi! > > > I did plan to work on a small catalog improvement, but after looking at > the code I'd like to do some cleanup first: > > > 1.) remove the deprecated TextIndex > > The deprecation warning says: > 'Using TextIndex is deprecated (will be removed in Zope ' > '2.12). Use ZCTextIndex instead.' > > +1 > 2.) remove CHANGES.txt, README.txt and version.txt from Products/ZCatalog > > These files seem to be obsolete. > +1 > > 3.) remove security declarations from ZCTextIndex and DateRangeIndex > > All the other indexes don't have security declarations. AFAICS there is > no way to access indexes from untrusted code without having the 'Manage > ZCatalogIndex Entries' permission. > I think that all index implementation should have security assertions?! > > 4.) add 'indexSize' to IPluggableIndex and implement it where missing > > ZCatalog uses that method and most indexes implement it already. > +1 Andreas begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. & Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog and indexes cleanup
On 6/29/09 12:48 PM, yuppie wrote: > Hi! > > > I did plan to work on a small catalog improvement, but after looking at > the code I'd like to do some cleanup first: > > > 1.) remove the deprecated TextIndex > > The deprecation warning says: > 'Using TextIndex is deprecated (will be removed in Zope' > '2.12). Use ZCTextIndex instead.' > > > 2.) remove CHANGES.txt, README.txt and version.txt from Products/ZCatalog > > These files seem to be obsolete. > > > 3.) remove security declarations from ZCTextIndex and DateRangeIndex > > All the other indexes don't have security declarations. AFAICS there is > no way to access indexes from untrusted code without having the 'Manage > ZCatalogIndex Entries' permission. > > > 4.) add 'indexSize' to IPluggableIndex and implement it where missing > > ZCatalog uses that method and most indexes implement it already. An API to both get and set 'extras' would be very useful for GenericSetup as well :) Wichert. ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )