On Thu, 10 Aug 2000 14:15:29 -0400, Brian Lloyd <[EMAIL PROTECTED]>

>  The issue involves the fact that the getRoles method of user objects 
>  contained in the default UserFolder implementation returns a mutable 
>  Python type. Because the mutable object is still associated with the 
>  persistent User object, users with the ability to edit DTML could 
>  arrange to give themselves extra roles for the duration of a single 
>  request by mutating the roles list as a part of the request

OK, so I can exploit this with something similar to
user.getRoles().append('A Role That I Dont Have')

But, why isnt the append method covered by the new
inaccessible-by-default 2.2 security rules?

Toby Dickenson

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to