[Zope3-dev] security problems with database adapters (second
edition)
Velko Ivanov
dachev at nove.bg
Fri Aug 26 11:51:15 EDT 2005
Hello,
My problems on this subject didn't get resolved since my last post, but
I have some new info and questions -
The sympthoms (Zope 3.1.0c1):
Database adapters are not usable by principals other than the
zope.Manager, in the principals.zcml file. Any other principal is
unauthenticated - I tried principals.zcml regular user with
zope.ManageContent, zope.UseDatabaseConnections and zope.View granted,
pluggable authentication user with the zope.Manager role granted, and
finally - principals.zcml regular user with zope.Manager role.
All principals are able to see and manage the connection object, but
can't retrieve results. This is tested and true for both psycopg and
Gadfly database adapters.
This is the exception I get when trying to use SQL script:
* Module zope.app.sqlscript.browser.sqlscript, line 39, in
getArguments
for argname, argvalue in self.context.getArguments().items():
Unauthorized: (<zope.app.sqlscript.sqlscript.Arguments object at
0xa03e86c>, 'items', 'zope.ManageContent')
This is the excpetion from the test page of the connection object (in
/++etc++site/tools) when I use principal with zope.Manager granted:
* Module zope.app.rdb, line 372, in queryForResults
cursor = conn.cursor()
Unauthorized: (<zope.app.rdb.ZopeConnection object at 0xad11c2c>,
'cursor', 'zope.ManageContent')
Looking at the code, the ZopeConnection object is created by the
ZopeDatabaseAdapter class in zope.app.rdb (inherited by the actual
DatabaseAdapter) with a simple call - self._v_connection =
ZopeConnection(self._connection_factory(), self)
and the ZopeConnection class does not have anything, that deals with
security, as far as I can see.
My question is, does this eventually mean, that ZopeConnection objects,
which are created at run-time, are not security proxied and consequently
unauthorized in all cases (except the system_user) and if yes, what
should be done? I'm not familiar with the Zope3 environment and I don't
know how and where objects get proxied.
Or is there something I'm missing here ?
Regards,
Velko Ivanov
More information about the Zope3-dev
mailing list