Santi Camps wrote at 2004-10-20 07:18 +0200:
> ...
>Anyway, I can't understand a behaviour that allows to access a method
>directly from the URL and crashes when the access is done from a ZPT.

"ZPublisher" (more precisely: "ZPublisher.BaseRequest.BaseRequest.traverse")
is responsible for security checking for Web traversal. It uses a
different approach then "AccessControl" (which protects access
from restricted code).

As you found out:

   Tres fixed a security whole in "AccessControl"
   but a similar whole is still present in "ZPublisher"...

> ...
>On the other hand, I don't think that current code could be considered a
>security hole.  If a method is unprotected, then the protection of the
>object itself is applied.   I like it.

But the names chosen to control this behaviour
("__allow_access_to_unprotected_subobjects__") suggests that this
should not apply automatically.

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to