> TurboGears beta 7 is a important security update for Beta 5 and Beta 6 > users. Please update all production apps form b5 or b6 to beta 7 > immediately. We're doing a Beta 7 rather than an RC1 because of the > importance of this issue, and our desire to make absolutely sure that > we've solidified all of this before doing a release candidate. > Fortunately the upgrade from b6 should have no backwards incompatible > changes, and should require no changes to your project > > B5 users should update to b6 and then b7. B6 users should be able to > do a simple easy_install -U as described in the install instructions: > > (tg2env)$ easy_install -U -i > http://www.turbogears.org/2.0/downloads/current/index tg.devtools > > (instructions:http://turbogears.org/2.0/docs/main/DownloadInstall.html ) > > The check for controller wide security was not working properly, and > we discovered that not enforcing controller level security > restrictions on subcontrollers.We take this very seriously even though > it happened in a beta, and we are taking steps to assure that it won't > happen again. It turns out that we moved some tests that would have > prevented this into another package, and that left one small thing in > TG which was no longer tested, and of course that's where our problem > was. We've added several tests to make sure this can't happen again, > and I've changed the way that we check controller authorization to be > less fragile. > > In order to make sure that the rapid development of our security stuff > has not created any other issues, and in order to review all existing > authorization/authentication code we'll be holding a security sprint > this weekend. We will be adding additional integration tests, and > doing a full audit of all security related packages on Sunday. > > There was also another issue that kept the __before__ method used by > our controller security system from running properly. Special thanks > goes out to Alberto Valverde for contributing to fixes to both these > critical issues. > > We've also added some more tests to the quickstart. In particular > there are tests for the security system built right into the > quickstarted project so users can easily see how to assure that their > security measures are working the way they expect, and we have some > additional helpers for testing authorization rules coming in the next > release.
Is this by any chance related to the very similar tg1 problem http://trac.turbogears.org/ticket/2207 ? Would the tg2 fix also fix the tg1 problem? Cheers, Daniel -- Psss, psss, put it down! - http://www.cafepress.com/putitdown --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
