En/na Santi Camps ha escrit:

En/na Richard Jones ha escrit:

Hash: SHA1

On 19/10/2004, at 4:33 PM, Santi Camps wrote:

Yes, meta_type is an attribute of type string, but I don't understand your reasons. Acquisition, obviously, is not implemented in strings, but if the object containing meta_type attribute inherits from Acquisition.Implicit it should work. In fact, it works for Zope 2.7.0 to 2.7.2. The problem appears in Zope 2.7.3, and I think that the problem is the change I mentioned in AccessControl/cAccessControl.c and AccessControl/ImplPython.py. I suppose this change is for some reasonable reason, but if it breaks security validations throught implicit acqusition I think the change should be considered.

AFAIK Tres is working on this. I was unable to produce a simple example case, but more recently Stefan Holek (I think) was. The last I saw was Tres saying "Aargh!" on the 13th, then on the 14th saying he's unable to produce good test cases.

And that's the problem. Tres' patch removed "DWIM" code. I'm not sure what that meant (I know what DWIM stands for ;) ... and I'm unable to state exactly (in a test case) what it is that my code does that invokes the DWIM'y code.


Thanks very much for the information, Richard. I think I should be able to provide a good test code (all our framework crash in zope 2.7.3 due to this patch). Let's go

Santi Camps

Here you are a test case for that problem. It's a very simple case of what my framework does.

How to proceed:
1) Install the product in a Zope 2.7.3 beta
2) Add an instance of meta type "AccessControl Test"
3) Try http://localhost:8080/AccessControlTest/get_sum_of_values. It works fine (is a method of Test class)
4) Try http://localhost:8080/AccessControlTest/get_product_of_values. It also works fine (is a method of Adapter class)
5) Try http://localhost:8080/AccessControlTest/crashing_test (is a ZPT trying to access previous methods). It crashes !!
Error Type: Unauthorized*
*Error Value: The container has no security assertions. Access to 'get_sum_of_values' of (Adapter instance at 40ae6ac0) denied.*

Obviously, this is not a reasonable behaviour. If I can access those methods directly from an URL, I should be able to do it from a ZPT.

Doing the same on Zope 2.7.2 works fine.

I hope this help

Santi Camps

Attachment: testAccessControl.tar.gz
Description: application/gzip

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to