TurboGears beta 7 is a important security update for Beta 5 and Beta 6 users. Please update all production apps form b5 or b6 to beta 7 immediately. We're doing a Beta 7 rather than an RC1 because of the importance of this issue, and our desire to make absolutely sure that we've solidified all of this before doing a release candidate. Fortunately the upgrade from b6 should have no backwards incompatible changes, and should require no changes to your project
B5 users should update to b6 and then b7. B6 users should be able to do a simple easy_install -U as described in the install instructions: (tg2env)$ easy_install -U -i http://www.turbogears.org/2.0/downloads/current/index tg.devtools (instructions:http://turbogears.org/2.0/docs/main/DownloadInstall.html ) The check for controller wide security was not working properly, and we discovered that not enforcing controller level security restrictions on subcontrollers.We take this very seriously even though it happened in a beta, and we are taking steps to assure that it won't happen again. It turns out that we moved some tests that would have prevented this into another package, and that left one small thing in TG which was no longer tested, and of course that's where our problem was. We've added several tests to make sure this can't happen again, and I've changed the way that we check controller authorization to be less fragile. In order to make sure that the rapid development of our security stuff has not created any other issues, and in order to review all existing authorization/authentication code we'll be holding a security sprint this weekend. We will be adding additional integration tests, and doing a full audit of all security related packages on Sunday. There was also another issue that kept the __before__ method used by our controller security system from running properly. Special thanks goes out to Alberto Valverde for contributing to fixes to both these critical issues. We've also added some more tests to the quickstart. In particular there are tests for the security system built right into the quickstarted project so users can easily see how to assure that their security measures are working the way they expect, and we have some additional helpers for testing authorization rules coming in the next release. -- Mark Ramm-Christensen email: mark at compoundthinking dot com blog: www.compoundthinking.com/blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---