On 21/01/2004, at 2:34 AM, Tres Seaver wrote:

Zope 2.6.3 added a new security check for untrusted code, to ensure that the "bindings" created (in particular, 'context' and 'container') weren't set up if the user didn't have access to the bound objects.

You can either:

- On the template's "Bindings" tab, unbind the 'context' name
(assuming that your template does not use either 'context' or 'here')

- Give the template a proxy role of 'Manager'.

Don't suppose you can be more specific on 'has access'. According to
my security tab, my container has both View and Access Contents Information
granted to Authenticated. Somewhere, I'm losing authorization where in 2.7b3
I wasn't.

I think I've tracked down a minimal example, the trigger being my
use of __allow_access_to_unprotected_subobjects__ = None. I'm thinking
this recent change is incompatible if a parent object tightens security
in this way or uses security.setDefaultAccess('deny'). The
work around is to explicity grant access to the name '' as I've done
in the attached example.

Should policy.validate(name='') be changed to cope with this
situation, or shall I update CHANGES.txt and
ClassSecurityInfo.setDefaultAccess attempting to explain the situation and
the fix?

Attachment: __init__.py
Description: Binary data

-- Stuart Bishop <[EMAIL PROTECTED]>

Attachment: PGP.sig
Description: This is a digitally signed message part

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to