-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The 'security audit work for the 2.7 branch' commit on 8th Jan made
the following change in PageTemplates/Expression.py:

***************
*** 312,318 ****
              # Skip directly to item access
              o = object[name]
              # Check access to the item.
!             if not validate(object, object, name, o):
                  raise Unauthorized, name
              object = o
              continue
- --- 307,313 ----
              # Skip directly to item access
              o = object[name]
              # Check access to the item.
!             if not validate(object, object, None, o):
                  raise Unauthorized, name
              object = o
              continue
***************
*** 367,373 ****
                      raise
                  else:
                      # Check access to the item.
!                     if not validate(object, object, name, o):
                          raise Unauthorized, name
          object = o

- --- 362,368 ----
                      raise
                  else:
                      # Check access to the item.
!                     if not validate(object, object, None, o):
                          raise Unauthorized, name
          object = o


This has the side effect of not passing the name attribute to my security assertion methods registered via ClassSecurityInfo.setDefaultAccess:

class Foo(blah, blah, blah):
        security = ClassSecurityInfo()
        def _checkAccess(self, name, value):
                if name.startswith('CG'):
                        return 1
                return 0
        security.setDefaultAccess(_checkAccess)

        def __getitem__(self, key):
                ''' Access via dictionary interface, with security
                        provided via _checkAccess
                '''
                return 'example'

Reversing the changes to Expression.py seems to break lots of
things (including SiteErrorLog), so I'm sure this is much more
involved.

Can anyone shed light onto what is going on?

- -- Stuart Bishop <[EMAIL PROTECTED]>
http://www.stuartbishop.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)


iD8DBQFAA4AFAfqZj7rGN0oRArWMAJ96sb9wKkx9qqstiB+78cZ1LrtW8ACggNX8
+uCQkzQGvbgIzW8Sb4C9kAE=
=7xyW
-----END PGP SIGNATURE-----


_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to