On 27 June 2010 00:24, Hanno Schlichting <ha...@hannosch.eu> wrote: > Hi there, > > recently MJ opened a security related bug and disclosed it to the > public at https://bugs.launchpad.net/zope2/+bug/578326. > > In short Zope 2 never supported the permission attribute on ZCML > browser:view declarations. It seems some people might have specified > this attribute and assumed it would do something. > > I have added a warning message to Zope 2 (trunk + 2.12 branch) which > warns about those cases. This is similar to how we handle other such > cases like the unsupported <require set_schema=".." /> and <require > set_attributes="..." /> on class directives. > > But it turns out that Zope 2 itself is using this in one place, that > looks like it ought to have a security declaration. The > Products.Five.adding.ContentAdding class registered as an add view > ("+") has no working security declarations I can see, and only has > such a non-functioning permission="zope2.ViewManagementScreens" set. > I'm not familiar enough with the add view concept to understand what > this is doing. It also looks like both CMF and Plone use similar > registrations for their add views. > > Ideally I'd love to add support for the permission attribute, as > clearly people have been using it. But if there's nobody who can > figure out how to do that, I'd at least like to clarify the add view > case.
Fixed in r114488 (2.12 branch) and r114490 (trunk). I don't think I'm allowed to close the issue on Launchpad, but it should be fine now. Cheers, Martin _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )