[ZCM] [ZC] 1756/ 4 Comment "Unexpected authorization failure during traversal"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Fri Apr 15 17:51:56 EDT 2005 

Issue #1756 Update (Comment) "Unexpected authorization failure during traversal"
 Status Pending, Zope/bug+solution medium
To followup, visit:
  http://www.zope.org/Collectors/Zope/1756

==============================================================
= Comment - Entry #4 by bierce on Apr 15, 2005 5:51 pm

(Erratum to Entry 3: as step 2a, create a folder "b" inside folder "a".)
________________________________________
= Comment - Entry #3 by bierce on Apr 15, 2005 5:42 pm

I mistranscribed my colleague's description of the error; it was careless of me to file a report without confirming the behavior myself.  With apologies, once more, with feeling.  :-)

Zope 2.7.5-final and 2.7.3b1 (both compiled for Python 2.3.5) behave differently when treated as follows:

 1. Install and run Zope

 2. At top level, create a folder "a"

 3. At top level, create a method that accesses
    context (a script that returns 
    context.title_or_id() will do the trick)

 4. At top level, explicitly grant all permissions
    to "Authorized".

 5. At top level, deny View permission to "Anonymous".

 3. Create a user folder inside folder "a", with a
    user User1.  (User1 can be assigned one or more
    roles or not.)

 4. Logout, and access the path /a/b/m1 as you had
    done before.

Under 2.5.3b1 Zope returns the id ("b") after the authorization challenge.  Under 2.5.7-final, authorization fails.  If the method "m1" is cut and pasted into "a" or "b", then of course login succeeds.

It looks as though methods can no longer be shared across authentication realms (if I have expressed that correctly -- I'm not a computer scientist).  It is not clear to us why that should do so.  User1 is authenticated to the system, and is not attempting to access context outside the bounds of her authentication.

There may be a very good reason for this change in traversal behavior, but it is not obvious to us what that might be; and the change is consequential for my colleague (i.e. it has interrupted a planned migration from 2.6 to 2.7).  If this issue was documented in the release notes -- apart from the telegraphic entry in CHANGES.txt -- we haven't found mention of it anywhere.  We're curious to know how the change works an improvement.

________________________________________
= Comment - Entry #2 by tseaver on Apr 14, 2005 11:10 am

Thank you for the detailed report.  Unfortunately, I am unable
to reproduce your error against the head of the 2.7 branch,
which has the same code in User.py as 2.7.5.

Here is some additional detail about my attempts:

  - In step 3, you do not specify the kind of access which
    the method makes of its context.  Here is the text of
    the PythonScript I used
    (http://localhost:8080/m1/document_src)::

      ## Script (Python) "m1"
      ##bind container=container
      ##bind context=context
      ##bind namespace=
      ##bind script=script
      ##bind subpath=traverse_subpath
      ##parameters=
      ##title=
      ##
      return context.title_or_id()

  - In step 4, you don't specify whether you are making the
    changes to the "Security" tabl of the root folder or of
    either '/a' or '/a/b'.  I tried both the root folder,
    and also '/a' (where I had to clear the "Acquire" field.

  - In step 5, you say "Log in as User1";  I don't know how
    you mean to do that (User1 has no roles at all on my system).

  - I pasted the following URL into a new browser session:

      http://localhost:8080/a/b/m1

    got challenged for HTTP basic auth, entered 'User1' and
    the corresponding password, and was able to see the title
    of the 'b' subfolder without further challenge.
________________________________________
= Request - Entry #1 by bierce on Apr 14, 2005 8:03 am

CHANGES.txt in Zope 2.7.5 final (2005/03/20), contains the following entry:

  * AccessControl/User.py: _check_context() has not been 
    called for authenticated users.

The corresponding change produces unexpected authorization failure during traversal.  Code which ran without error under previous versions of Zope fails under 2.7.5-final.

The behavior can be reproduced as follows:

 1. Install Zope-2.7.5-final and bring up an instance
    with default settings;

 2. Create a folder and subfolder, "/a/b".

 3. Create a user folder acl_users at top level,
    and create a user User1 in it.

 3. Place a method "m1" at top level, which accesses
    properties of its context.

 4. In the securities tab, make the following two changes:

    - Deny the View permission the the Anonymous role;
      and

    - Explicitly grant all permissions to Authenticated,
      including View.

 5. Log in as User1.

 5. Access the following path: /a/b/m1

 6. The result on our installation of 2.7.5-final is
    an authentication error:

      You are not authorized to access this resource
      Username and password are not correct. (Also, an
      error occurred while attempting to render the 
      standard error message.)

This does not seem to be correct behavior.  Zope versions prior to 2.7.5-final run this case without error.

The Japanese colleague on whose behalf I am filing this issue (Tokuyasu Kakuta) suggests unwinding the change by replacing lines 185 and 186 in Users.py with "            return 1".  This restores the previous behavior.

==============================================================

More information about the Zope-Collector-Monitor mailing list