Ticket #2088 (new defect)

Opened 10 years ago

Last modified 10 years ago

Protection of files in datamodels make them unusable from protected code

Reported by: gracinet Owned by: madarche
Priority: P2 Milestone: CPS 3.4.10
Component: CPSSchemas Version: TRUNK
Severity: normal Keywords:
Cc:

Description

For #1998, an encapsulation of File objects was introduced in DataModel, so that attributes change don't impact them directly at low-level, bypassing guards for frozen revisions.

It is transparent from trusted code; for instance this is unaffected in trusted code:

   datamodel['file'].title

but the security check would fail if within untrusted code (in particular TALES expressions). The ProtectedFile should always be public, since getting it already means going through all possible security checks at the DataModel level.

Change History

comment:1 Changed 10 years ago by gracinet

  • Milestone changed from CPS 3.5.0 to CPS 3.4.10
Note: See TracTickets for help on using tickets.