[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

Tres Seaver Thu, 15 Jan 2004 10:21:05 -0800

Jim Fulton wrote:

Tres Seaver wrote:
I will let Jim comment on your use case.

What use case? I missed it. Where is it?

Here is Stuart's original post:

This has the side effect of not passing the name attribute to
my security assertion methods registered via
ClassSecurityInfo.setDefaultAccess:

class Foo(blah, blah, blah):
    security = ClassSecurityInfo()
    def _checkAccess(self, name, value):
        if name.startswith('CG'):
            return 1
        return 0
    security.setDefaultAccess(_checkAccess)

    def __getitem__(self, key):
        ''' Access via dictionary interface, with security
            provided via _checkAccess
        '''
        return 'example'

The old code allowed this example to work, because it passed 'name' when validating __getitem__ access.

Tres.
--
===============================================================
Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"       http://www.zope.com

_______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

Reply via email to