On 29.06.09 19:33, yuppie wrote: > Hi Andreas! > > > Andreas Jung wrote: > >> On 29.06.09 12:48, yuppie wrote: >> >>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex >>> >>> All the other indexes don't have security declarations. AFAICS there is >>> no way to access indexes from untrusted code without having the 'Manage >>> ZCatalogIndex Entries' permission. >>> >>> >> I think that all index implementation should have security assertions?! >> > Why? > > '_catalog.indexes' is protected by the underscore and using the > 'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only > additional security restrictions would have any effect. > > Or am I missing a security hole?
Not sure. I created a catalog /catalog and an index 'my_index'. Within a debug shell: >>> app.catalog.Indexes['my_index'] <FieldIndex at my_index> >>> app.unrestrictedTraverse('catalog/Indexes/my_index') <FieldIndex at /catalog//my_index> >>> app.restrictedTraverse('catalog/Indexes/my_index') Traceback (most recent call last): File "<stdin>", line 1, in ? File "/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py", line 301, in restrictedTraverse return self.unrestrictedTraverse(path, default, restricted=True) File "/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py", line 236, in unrestrictedTraverse next = guarded_getattr(obj, name) AccessControl.unauthorized.Unauthorized: You are not allowed to access 'Indexes' in this context hmmmm... Andreas
begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. & Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )