Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix subscript access on Page Template macros attribute #503

Merged
merged 3 commits into from Feb 16, 2019
Merged

Fix subscript access on Page Template macros attribute #503

merged 3 commits into from Feb 16, 2019

Conversation

dataflake
Copy link
Member

Fixes #210

Under Zope 2.13, the macros attribute on a page template is a dictionary. The security machinery didn't care about it. With Chameleon, it is a real object.

__allow_access_to_unprotected_subobjects__ is a bit of a sledge hammer here, but I can't see any way of getting to such a macros object without hitting all necessary security checks before you even get close. Attempts to install a ClassSecurityInfo on the class and declaring e.g. __getitem__ public didn't work.

@dataflake dataflake added the bug label Feb 15, 2019
@dataflake dataflake added this to the 4.0 final milestone Feb 15, 2019
@dataflake dataflake self-assigned this Feb 15, 2019
@dataflake dataflake added this to In progress in Zope 4 final release via automation Feb 15, 2019
@dataflake dataflake changed the title Fix subscript access on Page Template macros attribute Fix subscript access on Page Template macros attribute Feb 15, 2019
Zope 4 final release automation moved this from In progress to Reviewer approved Feb 16, 2019
hannosch
hannosch approved these changes Feb 16, 2019
View reviewed changes
Copy link
Contributor

@hannosch hannosch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the macros object (https://github.com/malthe/chameleon/blob/master/src/chameleon/zpt/template.py#L450), I think it's safe to expose it. There's not much that class can do.

@dataflake dataflake merged commit 12eb698 into master Feb 16, 2019
Zope 4 final release automation moved this from Reviewer approved to Done Feb 16, 2019
@dataflake dataflake deleted the issue_210 branch February 16, 2019 16:14
@dataflake dataflake mentioned this pull request Apr 16, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hannosch hannosch hannosch approved these changes

@icemac icemac Awaiting requested review from icemac

Assignees

@dataflake dataflake

Labels
bug
Projects
No open projects
Zope 4 final release
  
Done
Milestone
4.0 final
Development

Successfully merging this pull request may close these issues.

chameleon.zpt.template.Macros is missing a security declaration
2 participants
@dataflake @hannosch