Hi Benji

> Behalf Of Benji York
> Sent: Tuesday, August 09, 2005 4:49 PM
> Cc: zope3-dev@zope.org; 'Martijn Faassen'
> Subject: Re: [Zope3-dev] security frustrations
> Roger Ineichen wrote:
> > Remember that you don't have a location and check security
> > isn't possible if you use subscribers in this state and if 
> > you use it together with a local PAU.
> Roger, I'm afraid I don't fully understand your response, but 
> perhaps it 
> will clarify things if I say that I intended for the 
> permission on the 
> trusted adapter to be zope.Public.

Ok, in this special case it's working, but if you register
the adapter different then "zope.Public" it doesn't work.
But only because in this case is no security check lookup!
All other permission will be lookuped and don't have a 
chance to get the local PAU because of the missing location.
(__parent__ = None) 

It's really simple created objects before added to a container
can't be located and act only with global utilities instead of
local ones. It's strongly recommended that nobody is doing 
security related operations with subscribers in this state 
of a object. This works in a global site setup but not in
a local site with a local PAU.

Roger Ineichen

> Benji York
> Senior Software Engineer
> Zope Corporation
> _______________________________________________
> Zope3-dev mailing list
> Zope3-dev@zope.org
> Unsub: 
> http://mail.zope.org/mailman/options/zope3-dev/dev%40projekt01.ch

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to