Re: [Zope-dev] ZCatalog and indexes cleanup

Mon, 29 Jun 2009 10:42:30 -0700 

On 29.06.09 19:33, yuppie wrote:
> Hi Andreas!
>
>
> Andreas Jung wrote:
>   
>> On 29.06.09 12:48, yuppie wrote:
>>     
>>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>>>
>>> All the other indexes don't have security declarations. AFAICS there is 
>>> no way to access indexes from untrusted code without having the 'Manage 
>>> ZCatalogIndex Entries' permission.
>>>   
>>>       
>> I think that all index implementation should have security assertions?!
>>     
> Why?
>
> '_catalog.indexes' is protected by the underscore and using the 
> 'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only 
> additional security restrictions would have any effect.
>
> Or am I missing a security hole?

Not sure. I created a catalog /catalog and an index 'my_index'.

Within a debug shell:

>>> app.catalog.Indexes['my_index']
<FieldIndex at my_index>


>>> app.unrestrictedTraverse('catalog/Indexes/my_index')
<FieldIndex at /catalog//my_index>


>>> app.restrictedTraverse('catalog/Indexes/my_index')
Traceback (most recent call last):
  File "<stdin>", line 1, in ?
  File
"/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py",
line 301, in restrictedTraverse
    return self.unrestrictedTraverse(path, default, restricted=True)
  File
"/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py",
line 236, in unrestrictedTraverse
    next = guarded_getattr(obj, name)
AccessControl.unauthorized.Unauthorized: You are not allowed to access
'Indexes' in this context


hmmmm...

Andreas

begin:vcard
fn:Andreas Jung
n:Jung;Andreas
org:ZOPYX Ltd. & Co. KG
adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany
email;internet:i...@zopyx.com
title:CEO
tel;work:+49-7071-793376
tel;fax:+49-7071-7936840
tel;home:+49-7071-793257
x-mozilla-html:FALSE
url:www.zopyx.com
version:2.1
end:vcard


_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to