On Thu, 10 Aug 2000 14:15:29 -0400, Brian Lloyd <[EMAIL PROTECTED]>
wrote:
> The issue involves the fact that the getRoles method of user objects
> contained in the default UserFolder implementation returns a mutable
> Python type. Because the mutable object is still associated with the
> persistent User object, users with the ability to edit DTML could
> arrange to give themselves extra roles for the duration of a single
> request by mutating the roles list as a part of the request
>processing.
OK, so I can exploit this with something similar to
user.getRoles().append('A Role That I Dont Have')
But, why isnt the append method covered by the new
inaccessible-by-default 2.2 security rules?
Toby Dickenson
[EMAIL PROTECTED]
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )