In zope/app/publisher/http.zcml we have

  <class class="zope.publisher.http.URLGetter">
    <require
        permission="zope.View"
        attributes="get __getitem__ __str__" />
  </class>

I think this should be zope.Public. Otherwise unauthorized users viewing an untrusted page template will get errors from a template that tries to do things like tal:attributes="action request/URL".

A non-public permission is particularly problematic because URLGetter doesn't have an __parent__ attribute; therefore, there's no context for someone to *get* zope.View in the current public zope 3 security policies (and even then, the context would be request, and where should *it* get a security context?)

Objections? I probably won't port this back to 3.3 unless folks request it, since I'm not sure if it is a bugfix (port) or a policy change (don't port).

I'm going to change this in the trunk now.

Gary
_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to