Hi Markus

> Betreff: [Zope3-Users] Trusted traversers in z3c.layer: 
> security concerns

[...]

> Since I can't believe that everybody else using `z3c.form` is 
> also using trusted traversers, I wonder if I am missing 
> something crucial here ...

I don't have time right now, but we meet us a the sprint
on Boston. I like to take a closer look a that then. As far
as I can remember there is a nother issue with the traverser
which resolves it's name with context.__parent__ instead of
adapting the parent objecst traverser. I also like to take 
look at this.

Stephan and I hade a couple of discussions about to write
a introspection test framework which shows us what can get
accessed and what not, based on the configure.zcml directives
registered all over the project.

Probably we can take another look at this and write some 
minimal hacker tool wich tries to hack a running server
by trying acessing all views and adapters etc.

Such a tool should also be able to generate a PDF report
showing the security settings. But that's another story...

Regards
Roger Ineichen

> Regards,
> 
> Markus Kemmerling
> 
> Medical University Vienna
> Core Unit for Medical Education
> P.O. Box 10  A-1097 Vienna
> phone: +43-1-40 160-36 863  fax: +43-1-40 160-93 65 00 
> http://www.meduniwien.ac.at/bemaw/
> 
> 
> _______________________________________________
> Zope3-users mailing list
> Zope3-users@zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
> 

_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Reply via email to