On Aug 10, 2006, at 8:33 AM, Christian Theune wrote:

Philipp von Weitershausen wrote:
Christian Theune wrote:
Log message for revision 69387:
- Removed conflicting security declaration for the traversal adapter that
     returns a Session object.

U Zope3/branches/ctheune-issue-574/src/zope/app/session/ configure.zcml

Modified: Zope3/branches/ctheune-issue-574/src/zope/app/session/ configure.zcml
--- Zope3/branches/ctheune-issue-574/src/zope/app/session/ configure.zcml 2006-08-10 08:24:12 UTC (rev 69386) +++ Zope3/branches/ctheune-issue-574/src/zope/app/session/ configure.zcml 2006-08-10 12:23:22 UTC (rev 69387)
@@ -23,7 +23,6 @@
-      permission="zope.Public"
    <class class=".session.Session">
Hah! I can't believe that was the problem. It all makes sense now. I
still wonder why the session object was still wrapped in a proxy whose
checker didn't allow anything...

Because IPathAdapter doesn't define any names, so the checker derived from
it doesn't allow any access.

seems that such a setup causes the
security machinery to be a little confused?

No, it did what it was told.

Perhaps the system shouldn't
allow such combinations (adapter security + security of the class)?

I agree. This combination should raise a ConflictError IMHO.

I don't agree. It is reasonable to me that different adapters derived from the same class
could need different permission settings.


Jim Fulton                      mailto:[EMAIL PROTECTED]                Python 
CTO                             (540) 361-1714                  
Zope Corporation        http://www.zope.com             http://www.zope.org

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to