[z3-five] Security bug in browser menus?
Philipp von Weitershausen
philipp at weitershausen.de
Sun Jul 10 17:29:46 CEST 2005
Sidnei da Silva wrote:
> On Sun, Jul 10, 2005 at 01:44:14PM +0200, Philipp von Weitershausen wrote:
> | Hi,
> |
> | I think I have found a bug regarding menu items in Five. Basically,
> | unless the menu item isn't protected with zope.Public, it will never
> | show up. I can verify this in a test
> | (http://codespeak.net/svn/z3/Five/trunk/browser/tests/test_menu.py) and
> | it looks like CMFonFive's tests back up my theory. What I would like to
> | know is if you guys have experienced the same.
> |
> | An explanation of what's wrong and how I think it should be fixed is
> | explained as a big comment in the above test case. If I won't hear
> | anything about this issue, I'll assume that noone is using menu items
> | yet and I'll go ahead and fix the issue to make the corrected test pass.
>
> I'm supposed to start using menu items somewhere between now and
> mid-august. If there's no rush I can look at the issue.
Actually, I wasn't looking so much for bugfixers but for feedback
whether people actually did experience the same problem. But thanks for
the offer :)
As for the bugfix, I think the more appropriate way of dealing with the
issue is the second option discussed in the test comment, namely,
decorating Zope2's security manager so that
getInteraction().checkPermission(z3_permission) will call the security
manager's checkPermission(z2_permission=z3_permission.title).
Philipp
More information about the z3-five
mailing list