Andreas Jung wrote:

--On Freitag, 22. Oktober 2004 8:38 Uhr -0400 Tres Seaver <[EMAIL PROTECTED]> wrote:

Andreas Jung wrote:

how severe is the problem that you have fixed? According to some
rumors the fix seems to break applications. The question for Zope
2.7.3 final is: is the problem severe enough to have it fixed for
2.7.3 with the risk of causing trouble with broken applications or
can we defer the fix to Zope 2.8?


I have yet to get a reproducible test case (one which breaks on 2.7-head
but works on 2.7.2) from the examples folks have supplied.  The bug which
I was fixing is a security issue, reported against CMF, but also
affecting Zope:

Given that the change was required to implement a security fix, and
without a reproducible test case for the reported breakage, I don't think
we can credit the rumors.  We *definitely* don't want to defer the
security fix.

I am not against the patch...I just need to know what the state of this issue is and what its
implications are for the final 2.7.3 release :-)

OK, here is my take, rephrased: the patch is there to support an important security fix (see the link above). Without a reproducible test case (I've tried and failed to make Stefan's reproducible within the AccessControl tests), we should just go forward and release 2.7.3.

Applications which use 'setDefaultAccess("deny")' for their content objects may need to quit trying to acquire CMF tools implicitly (using 'getToolByName' instead, which is the preferred API anyway); that is the only case I know of which can be isolated.

Richard Jones reported an issue with the patch, but couldn't give us a simple case. Users who *have* such weird applications can reverse the patch, find workarounds, or whatever, until they can help us isolate the bug.

Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to