Hi Andreas!

Andreas Jung wrote:
> On 29.06.09 12:48, yuppie wrote:
>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>> All the other indexes don't have security declarations. AFAICS there is 
>> no way to access indexes from untrusted code without having the 'Manage 
>> ZCatalogIndex Entries' permission.
> I think that all index implementation should have security assertions?!


'_catalog.indexes' is protected by the underscore and using the 
'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only 
additional security restrictions would have any effect.

Or am I missing a security hole?



Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to