I forget if I submitted a collector issue about this before, but I
didn't see it. I just posted one at
Title: PortalFolder.py _verifyObjectPaste ignores executable security
Version info: CMF 1.5.4 but also in trunk
_verifyObjectPaste calls "sm.checkPermission(permission_name,self)"
rather than "_checkPermission(permission_name,self)"
This makes it ignore executable security. So, if _verifyObjectPaste is
in an external method or in a script with sufficient proxy roles, it
raises an Unauthorized error for users when the external method /
proxy role security should suffice.
[originally posted this on the zope list yesterday but then discovered
this list also]
On 9/9/05, Dieter Maurer <[EMAIL PROTECTED]> wrote:
> George Lee wrote at 2005-9-8 23:57 -0400:
> > ...
> >Is it okay to just replace sm.checkPermission with _checkPermission
> >from CMFCore.utils or is that not okay?
> Yes. But, please file a bug report as well.
> >Also Dieter I noticed that Alan Runyan and you briefly discussed this
> >issue back in 2002:
> Any internal use should always take executable security (i.e.
> executable ownership and proxy roles) into account.
> Not doing so is a but, as things expected to be possible are not
> and (maybe even worse) things expected to be impossible may
> be possible.
> There may be a need for application code to check the permissions
> of the user with proxy roles not taken into account.
> E.g. a script that must use a "Manager" roles to do one
> thing but does not want to do another unless the current
> user has specific permissions.
> For this case, there also should be a method checking
> permissions with proxy roles not taken into account.
Zope-CMF maillist - Zope-CMF@lists.zope.org
See http://collector.zope.org/CMF for bug reports and feature requests