----- Original Message ----- 
From: "Toby Dickenson" <[EMAIL PROTECTED]>
Sent: Thursday, August 01, 2002 3:51 PM
Subject: Re: [Zope-dev] Removing the acquisition wrapper from an object (Python script)

On Thursday 01 Aug 2002 2:44 pm, Gilles Lenfant wrote:

>> I can't understand that reason because it's also easy to strip away an
>> object's security settings in an untrusted python script that has a Manager
>> proxy. Well, I'm gonna make my 2 or 3 lines External method :(

>If thats true, its a bug. a serious one too. Please file an example in the 


It's definitively *NOT* a bug but a feature that's completely documented.
Most Zope objects inherit of RoleManager class. This class has (among others) this 
method :

manage_permission(self, permission_to_manage, roles=[], acquire=0, REQUEST=None)

Just use this method in an "untrusted" python script on any Zope object, add to it 
Manager proxy, and you're done.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to