For changes before version 3.0, see HISTORY.rst.
- Prevent race condition in guarded_import (see #123)
- Provide
AccessControl.get_safe_globalsto facilitate safe use. - Honor
PURE_PYTHONenvironment variable to enable python implementation during runtime. - Add support for Python 3.10.
- Fix Appveyor configuration so tests can run and wheels build.
NOTE: This release has been yanked from PyPI due to wheel build issues.
- Fix a remote code execution issue by preventing access to
string.Formatterfrom restricted code.
- Add support for Python 3.9.
- Remove deprecated classes and functions in
(see #32):
AccessControl/DTML.pyAccessControl/Owned.pyAccessControl/Role.pyAccessControl/Permissions.py
- Add deprecation warnings for BBB imports in:
AccessControl/AuthEncoding.pyAccessControl/Owned.pyAccessControl/Role.pyAccessControl/User.py
- Although this version might run on Zope 4, it is no longer supported because of the dropped deprecation warnings.
- Add missing permission
Manage WebDAV Locks - Fix regression for BBB import of
`users.UnrestrictedUser(#94) - Add a check if database is present in
.owner.ownerInfo. (#91).
- Python 3: Allow iteration over the result of
dict.{keys,values,items}(#89).
Changes since 3.0.12:
- Add support for Python 3.5, 3.6, 3.7 and 3.8.
- Restore simple access to bytes methods in Python 3 (#83)
- Clarify deprecation warnings for several BBB shims. (#32)
- Add a test to prove that a user folder flag cannot be acquired elsewhere. (#7)
- Tighten basic auth string handling in
BasicUserFolder.identify(#56) - Prevent the Zope 4 ZMI from showing an add dialog for the user folder. (#82)
- Fix order of roles returned by
AccessControl.rolemanager.RoleManager.userdefined_roles. - Add configuration for zodbupdate.
- Add
TaintedBytesbesidesTaintedStringinAccessControl.tainted. (#57) - Security fix: In
str.format, check the security for attributes that are accessed. (Ported from 2.13). - Port
override_containercontext manager here from 2.13. - Add AppVeyor configuration to automate building Windows eggs.
- Fix for compilers that only support C89 syntax (e.g. on Windows).
- Sanitize and test RoleManager role handling.
- Depend on RestrictedPython >= 4.0.
- #16: Fixed permission handling by avoiding column and row numbers as identifiers for permissions and roles.
- Extract
.AuthEncodingto its own package for reuse. - Declare missing dependency on BTrees.
- Drop Record dependency, which now does its own security declaration.
- Remove leftovers from history support dropped in Zope.
- Remove duplicate guard against * imports. (#60)
- Avoid acquiring
accessfrom module wrapped bySecurityInfo._ModuleSecurityInfo. See: #12
- Harden test fix for machines that do not define localhost.
- Test fix for machines that do not define localhost.
- GitHub #6: Do not pass SecurityInfo instance itself to declarePublic/declarePrivate
when using the public/private decorator. This fixes
Conflicting security declarationswarnings on Zope startup. - LP #1248529: Leave existing security manager in place inside
RoleManager.manage_getUserRolesAndPermissions.
- LP #1169923: ensure initialization of shared
ImplPythonstate (used byImplC) when using the "C" security policy. Thanks to Arnaud Fontaine for the patch.
- Remove long-deprecated 'Shared' roles support (pre-dates Zope, never used by Zope itself)
- Prevent infinite loop when looking up local roles in an acquisition chain with cycles.
- LP #1071067: Use a stronger random number generator and a constant time comparison function.
- LP #966101: Recognize special zope2.Private permission in ZCML role directive.
- LP #1047318: Tighten import restrictions for restricted code.
- Fix a bug in ZopeSecurityPolicy.py. Global variable rolesForPermissionOn could be overridden if __role__ had custom rolesForPermissionOn.
- Add Anonymous as a default role for Public permission.
- Fix tests under Python 2.6.
- Added decorators for public, private and protected security declarations.
- Update tests to take advantage of automatic test suite discovery.