Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Zope: Dev

ZCatalog and indexes cleanup

  

 
Zope dev RSS feed   Index | Next | Previous | View Threaded


y.2009 at wcm-solutions

Jun 29, 2009, 3:48 AM

Post #1 of 5 (370 views)
Permalink
ZCatalog and indexes cleanup
Hi!


I did plan to work on a small catalog improvement, but after looking at
the code I'd like to do some cleanup first:


1.) remove the deprecated TextIndex

The deprecation warning says:
'Using TextIndex is deprecated (will be removed in Zope '
'2.12). Use ZCTextIndex instead.'


2.) remove CHANGES.txt, README.txt and version.txt from Products/ZCatalog

These files seem to be obsolete.


3.) remove security declarations from ZCTextIndex and DateRangeIndex

All the other indexes don't have security declarations. AFAICS there is
no way to access indexes from untrusted code without having the 'Manage
ZCatalogIndex Entries' permission.


4.) add 'indexSize' to IPluggableIndex and implement it where missing

ZCatalog uses that method and most indexes implement it already.



If there are no objections, I'll make these changes on the 2.12 branch
and the trunk.


Cheers,

Yuppie


_______________________________________________
Zope-Dev maillist - Zope-Dev[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


wichert at wiggy

Jun 29, 2009, 4:07 AM

Post #2 of 5 (345 views)
Permalink
Re: ZCatalog and indexes cleanup [In reply to]
On 6/29/09 12:48 PM, yuppie wrote:
> Hi!
>
>
> I did plan to work on a small catalog improvement, but after looking at
> the code I'd like to do some cleanup first:
>
>
> 1.) remove the deprecated TextIndex
>
> The deprecation warning says:
> 'Using TextIndex is deprecated (will be removed in Zope'
> '2.12). Use ZCTextIndex instead.'
>
>
> 2.) remove CHANGES.txt, README.txt and version.txt from Products/ZCatalog
>
> These files seem to be obsolete.
>
>
> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>
> All the other indexes don't have security declarations. AFAICS there is
> no way to access indexes from untrusted code without having the 'Manage
> ZCatalogIndex Entries' permission.
>
>
> 4.) add 'indexSize' to IPluggableIndex and implement it where missing
>
> ZCatalog uses that method and most indexes implement it already.

An API to both get and set 'extras' would be very useful for
GenericSetup as well :)

Wichert.
_______________________________________________
Zope-Dev maillist - Zope-Dev[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


lists at zopyx

Jun 29, 2009, 10:14 AM

Post #3 of 5 (343 views)
Permalink
Re: ZCatalog and indexes cleanup [In reply to]
On 29.06.09 12:48, yuppie wrote:
> Hi!
>
>
> I did plan to work on a small catalog improvement, but after looking at
> the code I'd like to do some cleanup first:
>
>
> 1.) remove the deprecated TextIndex
>
> The deprecation warning says:
> 'Using TextIndex is deprecated (will be removed in Zope '
> '2.12). Use ZCTextIndex instead.'
>
>
+1
> 2.) remove CHANGES.txt, README.txt and version.txt from Products/ZCatalog
>
> These files seem to be obsolete.
>
+1
>
> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>
> All the other indexes don't have security declarations. AFAICS there is
> no way to access indexes from untrusted code without having the 'Manage
> ZCatalogIndex Entries' permission.
>

I think that all index implementation should have security assertions?!
>
> 4.) add 'indexSize' to IPluggableIndex and implement it where missing
>
> ZCatalog uses that method and most indexes implement it already.
>
+1

Andreas
Attachments: lists.vcf (0.31 KB)


y.2009 at wcm-solutions

Jun 29, 2009, 10:33 AM

Post #4 of 5 (339 views)
Permalink
Re: ZCatalog and indexes cleanup [In reply to]
Hi Andreas!


Andreas Jung wrote:
> On 29.06.09 12:48, yuppie wrote:
>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>>
>> All the other indexes don't have security declarations. AFAICS there is
>> no way to access indexes from untrusted code without having the 'Manage
>> ZCatalogIndex Entries' permission.
>>
>
> I think that all index implementation should have security assertions?!

Why?

'_catalog.indexes' is protected by the underscore and using the
'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only
additional security restrictions would have any effect.

Or am I missing a security hole?

Cheers,

Yuppie

_______________________________________________
Zope-Dev maillist - Zope-Dev[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


lists at zopyx

Jun 29, 2009, 10:42 AM

Post #5 of 5 (340 views)
Permalink
Re: ZCatalog and indexes cleanup [In reply to]
On 29.06.09 19:33, yuppie wrote:
> Hi Andreas!
>
>
> Andreas Jung wrote:
>
>> On 29.06.09 12:48, yuppie wrote:
>>
>>> 3.) remove security declarations from ZCTextIndex and DateRangeIndex
>>>
>>> All the other indexes don't have security declarations. AFAICS there is
>>> no way to access indexes from untrusted code without having the 'Manage
>>> ZCatalogIndex Entries' permission.
>>>
>>>
>> I think that all index implementation should have security assertions?!
>>
> Why?
>
> '_catalog.indexes' is protected by the underscore and using the
> 'Indexes' alias is protected by 'Manage ZCatalogIndex Entries'. Only
> additional security restrictions would have any effect.
>
> Or am I missing a security hole?

Not sure. I created a catalog /catalog and an index 'my_index'.

Within a debug shell:

>>> app.catalog.Indexes['my_index']
<FieldIndex at my_index>


>>> app.unrestrictedTraverse('catalog/Indexes/my_index')
<FieldIndex at /catalog//my_index>


>>> app.restrictedTraverse('catalog/Indexes/my_index')
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File
"/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py",
line 301, in restrictedTraverse
return self.unrestrictedTraverse(path, default, restricted=True)
File
"/Users/ajung/sandboxes/Zope-2.11/2.11/lib/python/OFS/Traversable.py",
line 236, in unrestrictedTraverse
next = guarded_getattr(obj, name)
AccessControl.unauthorized.Unauthorized: You are not allowed to access
'Indexes' in this context


hmmmm...

Andreas
Attachments: lists.vcf (0.31 KB)

Zope dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.