OFS: normal users can override folder views
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Zope 2 |
Invalid
|
Medium
|
Unassigned | ||
Bug Description
checkValidId makes sure users can't override folder methods TTW. Five provides browser views as an alternative for presentation methods. But since 5 months (Zope 2.8.2) checkValidId does no longer reject IDs starting with '@'. This allows normal users that have the permission to add content to break apps that use Five views.
The proposed solution is to add these lines in checkValidId:
if id[0] == '@':
raise BadRequest('The id "%s" is invalid because it begins with '
There are 2 threads regarding this issue on zope-dev, but no consensus on how to resolve this:
http://
http://
Currently the views still override the content, but after the lookup order is changed as planed for the next releases the behavior will be as described above. See http://
| Jens Vagelpohl (dataflake-deactivatedaccount-deactivatedaccount) wrote | #1 |
| Changed in zope2: | |
| status: | New → Invalid |
| assignee: | nobody → Jens Vagelpohl (dataflake) |
The described behavior never materialized. Matter of fact, whereas you can create items starting with "@@" in stock Zope (outside of the CMF or Plone) all you get is an error message when you try to view that object since the traversal machinery wants to look up a view and not an attribute or an object.