[ZCM] [ZC] 1756/ 2 Comment "Unexpected authorization failure during traversal"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Thu Apr 14 11:10:28 EDT 2005 

Issue #1756 Update (Comment) "Unexpected authorization failure during traversal"
 Status Pending, Zope/bug+solution medium
To followup, visit:
  http://www.zope.org/Collectors/Zope/1756

==============================================================
= Comment - Entry #2 by tseaver on Apr 14, 2005 11:10 am

Thank you for the detailed report.  Unfortunately, I am unable
to reproduce your error against the head of the 2.7 branch,
which has the same code in User.py as 2.7.5.

Here is some additional detail about my attempts:

  - In step 3, you do not specify the kind of access which
    the method makes of its context.  Here is the text of
    the PythonScript I used
    (http://localhost:8080/m1/document_src)::

      ## Script (Python) "m1"
      ##bind container=container
      ##bind context=context
      ##bind namespace=
      ##bind script=script
      ##bind subpath=traverse_subpath
      ##parameters=
      ##title=
      ##
      return context.title_or_id()

  - In step 4, you don't specify whether you are making the
    changes to the "Security" tabl of the root folder or of
    either '/a' or '/a/b'.  I tried both the root folder,
    and also '/a' (where I had to clear the "Acquire" field.

  - In step 5, you say "Log in as User1";  I don't know how
    you mean to do that (User1 has no roles at all on my system).

  - I pasted the following URL into a new browser session:

      http://localhost:8080/a/b/m1

    got challenged for HTTP basic auth, entered 'User1' and
    the corresponding password, and was able to see the title
    of the 'b' subfolder without further challenge.
________________________________________
= Request - Entry #1 by bierce on Apr 14, 2005 8:03 am

CHANGES.txt in Zope 2.7.5 final (2005/03/20), contains the following entry:

  * AccessControl/User.py: _check_context() has not been 
    called for authenticated users.

The corresponding change produces unexpected authorization failure during traversal.  Code which ran without error under previous versions of Zope fails under 2.7.5-final.

The behavior can be reproduced as follows:

 1. Install Zope-2.7.5-final and bring up an instance
    with default settings;

 2. Create a folder and subfolder, "/a/b".

 3. Create a user folder acl_users at top level,
    and create a user User1 in it.

 3. Place a method "m1" at top level, which accesses
    properties of its context.

 4. In the securities tab, make the following two changes:

    - Deny the View permission the the Anonymous role;
      and

    - Explicitly grant all permissions to Authenticated,
      including View.

 5. Log in as User1.

 5. Access the following path: /a/b/m1

 6. The result on our installation of 2.7.5-final is
    an authentication error:

      You are not authorized to access this resource
      Username and password are not correct. (Also, an
      error occurred while attempting to render the 
      standard error message.)

This does not seem to be correct behavior.  Zope versions prior to 2.7.5-final run this case without error.

The Japanese colleague on whose behalf I am filing this issue (Tokuyasu Kakuta) suggests unwinding the change by replacing lines 185 and 186 in Users.py with "            return 1".  This restores the previous behavior.

==============================================================

More information about the Zope-Collector-Monitor mailing list