AFAIK this is still open, moved to Zope-Dev.
On Sun, Apr 24, 2011 at 12:18 PM, Martin Aspeli <optil...@gmx.net> wrote:
> On 23 April 2011 19:10, David Glick <dgl...@gmail.com> wrote:
>> On 4/21/11 9:57 AM, Laurence Rowe wrote:
>>> On 21 April 2011 10:19, Roel Bruggink<r...@fourdigits.nl> wrote:
>>>> We noticed that calling @@ on an url shows the annotations of that
>>>> This works for anonymous, but only in Plone 4.
>>>> See http://plone-demo.sixfeetup.com/@@ .
>>> Ok, this is due to the standard view lookup code in
>>> ob2 = namespaceLookup(ns, nm, ob, self)
>>> It's getting the adapter registered in zope.annotations:
>>> for=".interfaces.IAttributeAnnotatable *"
>>> I'm not quite sure what this 2-way adapter is for.
>>> AttributeAnnotations.__init__ takes an optional context argument which
>>> is promptly thrown away.
>>> Two ways to fix this:
>>> 1. Register a more specific adapter for (IAttributeAnnotatble,
>>> IRequest) which would raise a KeyError or something to provoke a
>>> NotFound response.
>>> 2. Add a __str__ method to AttributeAnnotations so no information is
>>> leaked when it is published.
>>> 3. Special case traverseName to check that the namespace name is not
>>> the empty string.
>>> I guess I can see the use-case for allowing @@ in page templates and
>>> such, but this is actually prevented by code in
>>> OFS.Traversable.Traversable.unrestrictedTraverse which specifically
>>> checks for nsParse(name), the namespace name.
>>> Perhaps we would be better moving this discussion to zope-dev. It
>>> doesn't seem too serious from a security perspective.
>> A possible long-term solution (involving an API change) would be to make the
>> view registration directives register views as adapters to an IBrowserPage
>> interface, and then make the view traverser look up adapters to that
>> interface instead of (implicitly) to Interface. Then it couldn't find random
>> (context,request) adapters that weren't intended to be views and that didn't
>> get security declarations.
> I agree this would be much better, but I think it's too big a change
> and something we'll need to live with: a lot of code does
> getMultiAdapter((context, request,), name="...") to get a view.
> A slightly more clunky but compatible idea may be to just explicitly
> check IView.providedBy(obj) during publication?
Four Digits BV
http://www.fourdigits.nl tel: +31(0)26 4422700
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -