Santi Camps wrote at 2004-10-20 07:18 +0200:
>Anyway, I can't understand a behaviour that allows to access a method
>directly from the URL and crashes when the access is done from a ZPT.
"ZPublisher" (more precisely: "ZPublisher.BaseRequest.BaseRequest.traverse")
is responsible for security checking for Web traversal. It uses a
different approach then "AccessControl" (which protects access
from restricted code).
As you found out:
Tres fixed a security whole in "AccessControl"
but a similar whole is still present in "ZPublisher"...
>On the other hand, I don't think that current code could be considered a
>security hole. If a method is unprotected, then the protection of the
>object itself is applied. I like it.
But the names chosen to control this behaviour
("__allow_access_to_unprotected_subobjects__") suggests that this
should not apply automatically.
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -