Salesforce Base Connector 1.0c1 (Release candidate) (Dec 23, 2008)

This is not a final release. Experimental releases should only be used for testing and development. Do not use these on production sites, and make sure you have proper backups before installing.

Adds Salesforce-specific permissions for more granular access control.

For additional information about this project, please visit the overview page .

Available downloads

Product Package

For all platforms (0 kB)

Release Notes

Tested with Plone 3, Plone 2.5
State Release candidate
License GPL
Release Manager David Glick

We recently discovered a security issue in salesforcebaseconnector which can expose Plone sites using it to the vulnerability of unauthenticated users reading arbitrary data from the configured Salesforce connection.

I have just released salesforcebaseconnector 1.0c1 which fixes this vulnerability, and *strongly* recommend upgrading all installations of salesforcebaseconnector to this version as soon as possible.  Not upgrading places your data at risk of unprotected access.

Simply updating to the new egg and restarting zope should be enough to activate the fix; you don't need to re-initialize the product or recreate the base connector.

If you are calling salesforcebaseconnector methods from restricted Python (e.g. skin layer Python scripts), you will need to make sure that your script has a proxy role of 'Manager'.  You can set this via the Proxy tab in the ZMI, or in a filesystem skin layer by using a .metadata file with the following:

[default]
proxy=Manager

There are two new permissions, 'Salesforce: Read' and 'Salesforce: Write', which you can use if you need more fine-grained access control.

Change log

1.0c1 (2008-12-22)

  •  Protect the base connector's query, queryMore, retrieve, getDeleted, and getUpdated methods with the 'Manage portal' permission instead of making them publicly traversable.  Note that this means any restricted Python calling these methods (e.g. page templates or Python scripts) will need to use a proxy role that has this permission in order to continue functioning. [davisagli]
  • Don't display a configured password in the configuration form. [davisagli]
  • Refactored credentials check so that invalid credentials will result in a warning shown to the user, rather than failing silently.  This closes issue #2. [andrewb, davisagli]
  • Integration test suites all based on CMFTestCase and creation of CMF Site, rather than PloneTestCase and Plone site for performance reasons [andrewb]