En/na Dieter Maurer ha escrit:

Santi Camps wrote at 2004-10-18 12:37 +0200:

I have a persistent object A and a non persistent object B. B has implicit acquisition. From trusted code I return B.__of__(A). Trying to access B.meta_type from untrusted code (a ZPT) raises the error. B has no attribute meta_type, so it should be returned from A using implicit acquisition. A has all necessary security assertions.

"meta_type" is probably a string. Elementary data types (such as string) do not know anything about acquisition. The code that checks the permissions cannot (easily) determine where it comes from (other than reimplementing acquisition, which would not be a good thing).

Yes, meta_type is an attribute of type string, but I don't understand your reasons. Acquisition, obviously, is not implemented in strings, but if the object containing meta_type attribute inherits from Acquisition.Implicit it should work. In fact, it works for Zope 2.7.0 to 2.7.2. The problem appears in Zope 2.7.3, and I think that the problem is the change I mentioned in AccessControl/cAccessControl.c and AccessControl/ImplPython.py. I suppose this change is for some reasonable reason, but if it breaks security validations throught implicit acqusition I think the change should be considered.


Santi Camps

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to