Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XML-RPC object representations don't respect permissions #954

Closed
dataflake opened this issue Mar 1, 2021 · 1 comment
Closed

XML-RPC object representations don't respect permissions #954

dataflake opened this issue Mar 1, 2021 · 1 comment
Assignees
@dataflake
Labels
bug

Comments

@dataflake
Copy link
Member

XML-RPC requests that don't correspond to specific methods will fall back to generating a simple XML representation of the object being accessed. If the object has attributes that are themselves instances, the code will continue recursing and will generate representations for them as well.

The security checks performed in this recursive function are too simplistic. It will only exclude any attributes starting with the underscore _. It will not attempt to look up and check Zope permission assertions on the instances it finds during recursion. So if you have a folder that is accessible to a user and that folder contains items that are not, those items will still be included in the XML output.
@dataflake dataflake added the bug label Mar 1, 2021
@dataflake dataflake self-assigned this Mar 1, 2021
@dataflake dataflake mentioned this issue Mar 1, 2021
Merged
@dataflake
Copy link
Member Author

Fixed by #955 on the 4.x branch and 9191091 on master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dataflake dataflake

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dataflake