#2207: identity.SecureObject doesn't cascade down to subcontrollers
------------------------+---------------------------------------------------
Reporter: fetchinson | Owner: faide
Type: defect | Status: new
Priority: normal | Milestone: 1.1
Component: TurboGears | Version: 1.0.8
Severity: normal | Keywords: security
------------------------+---------------------------------------------------
When a subcontroller is "mounted" on a controller and this latter
controller is protected by identity.SecureObject, the methods of the
subcontroller will not be protected. The only work around seems to be to
wrap each and every subcontroller with identity.SecureObject although a
better solution would be to have identity.SecureObject to cascade down
automatically to every subcontroller. The problem is especially severe
with catwalk. Even if the main catwalk controller is protected, the
methods exposed by subcontrollers of catwalk are not, leading to serious
security leakage.
Example:
class A1( RootController ):
A2 = identity.SecureObject( A2, identity.in_group( 'test' ) )
class A2( Controller ):
@expose( )
def meth2( self ):
return dict( )
A3 = A3( )
class A3( Controller ):
@expose( )
def meth3( self ):
return dict( )
Access to /A1/A2/meth2 is limited, as expected, by the
identity.SecureObject construction. But access to /A1/A2/A3/meth3 is not
limited.
--
Ticket URL: <http://trac.turbogears.org/ticket/2207>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
