[Checkins] SVN: grok/branches/0.14/ Port security fix to 0.14 branch.
Martijn Faassen
faassen at infrae.com
Fri Dec 12 09:20:15 EST 2008
Log message for revision 93961:
Port security fix to 0.14 branch.
Changed:
U grok/branches/0.14/CHANGES.txt
A grok/branches/0.14/src/grok/ftests/security/preserve_permissions.py
A grok/branches/0.14/src/grok/ftests/security/static/
A grok/branches/0.14/src/grok/ftests/security/static/textfile.txt
U grok/branches/0.14/src/grok/publication.py
-=-
Modified: grok/branches/0.14/CHANGES.txt
===================================================================
--- grok/branches/0.14/CHANGES.txt 2008-12-12 14:17:56 UTC (rev 93960)
+++ grok/branches/0.14/CHANGES.txt 2008-12-12 14:20:15 UTC (rev 93961)
@@ -4,7 +4,11 @@
0.14.1 (unreleased)
===================
+Bug fixes
+---------
+* Close a bad security hole.
+
0.14 (2008-09-29)
=================
Added: grok/branches/0.14/src/grok/ftests/security/preserve_permissions.py
===================================================================
--- grok/branches/0.14/src/grok/ftests/security/preserve_permissions.py (rev 0)
+++ grok/branches/0.14/src/grok/ftests/security/preserve_permissions.py 2008-12-12 14:20:15 UTC (rev 93961)
@@ -0,0 +1,85 @@
+"""
+
+Permissions already set by non-grok components are preserved by the
+Grok publisher.
+
+The `@@contents.html` view of folders is protected by
+`zope.ManageContent` and should not be visible to unauthenticated
+users. Instead we are asked to authenticate ourselves::
+
+ >>> print http(r'''
+ ... GET /@@contents.html HTTP/1.1
+ ... ''')
+ HTTP/1.1 401 Unauthorized
+ ...
+ WWW-Authenticate: basic realm="Zope"
+ ...
+
+However, if we make a grant, e.g. on the root object, we can access
+the view just fine:
+
+ >>> from zope.securitypolicy.interfaces import IPrincipalPermissionManager
+ >>> root = getRootFolder()
+ >>> root_perms = IPrincipalPermissionManager(root)
+ >>> root_perms.grantPermissionToPrincipal('zope.ManageContent',
+ ... 'zope.anybody')
+ >>> print http(r'''
+ ... GET /@@contents.html HTTP/1.1
+ ... ''')
+ HTTP/1.1 200 Ok
+ ...
+
+But we can still access Grok views not explicitly protected. We create
+an application and add it to the database::
+
+ >>> grok.testing.grok(__name__)
+ >>> from grok.ftests.security.preserve_permissions import App
+ >>> root = getRootFolder()
+ >>> root['app'] = App()
+
+The default view is accessible::
+
+ >>> from zope.testbrowser.testing import Browser
+ >>> browser = Browser()
+ >>> browser.open('http://localhost/app')
+ >>> print browser.contents
+ Moo!
+
+While the manage view is locked::
+
+ >>> browser.open('http://localhost/app/@@manage')
+ Traceback (most recent call last):
+ ...
+ httperror_seek_wrapper: HTTP Error 401: Unauthorized
+
+We have some static resources defined in a local `static` directory,
+which we can access unauthenticated::
+
+ >>> browser.open('http://localhost/@@/grok.ftests.security/textfile.txt')
+ >>> print browser.contents
+ Just a test.
+
+When we authenticate, everything works fine::
+
+ >>> browser.addHeader('Authorization', 'Basic mgr:mgrpw')
+ >>> browser.open('http://localhost/app/@@manage')
+ >>> print browser.contents
+ Woo!
+
+"""
+import grok
+
+class ManageApp(grok.Permission):
+ grok.name('app.Manage')
+
+class App(grok.Application, grok.Container):
+ pass
+
+class Index(grok.View):
+ def render(self):
+ return 'Moo!'
+
+class Manage(grok.View):
+ grok.require('app.Manage')
+ def render(self):
+ return 'Woo!'
Added: grok/branches/0.14/src/grok/ftests/security/static/textfile.txt
===================================================================
--- grok/branches/0.14/src/grok/ftests/security/static/textfile.txt (rev 0)
+++ grok/branches/0.14/src/grok/ftests/security/static/textfile.txt 2008-12-12 14:20:15 UTC (rev 93961)
@@ -0,0 +1 @@
+Just a test.
Modified: grok/branches/0.14/src/grok/publication.py
===================================================================
--- grok/branches/0.14/src/grok/publication.py 2008-12-12 14:17:56 UTC (rev 93960)
+++ grok/branches/0.14/src/grok/publication.py 2008-12-12 14:20:15 UTC (rev 93961)
@@ -21,11 +21,15 @@
from zope.security.checker import selectChecker
from zope.publisher.publish import mapply
+from zope.publisher.interfaces.browser import IBrowserView
+
from zope.app.publication.http import BaseHTTPPublication, HTTPPublication
from zope.app.publication.browser import BrowserPublication
from zope.app.publication.requestpublicationfactories import \
BrowserFactory, XMLRPCFactory, HTTPFactory
from zope.app.http.interfaces import IHTTPException
+from grokcore.view import View as GrokView
+from grok.components import JSON
class ZopePublicationSansProxy(object):
@@ -36,7 +40,14 @@
def traverseName(self, request, ob, name):
result = super(ZopePublicationSansProxy, self).traverseName(
request, ob, name)
- return removeSecurityProxy(result)
+ bare_result = removeSecurityProxy(result)
+ if IBrowserView.providedBy(bare_result):
+ if isinstance(bare_result, (GrokView, JSON)):
+ return bare_result
+ else:
+ return result
+ else:
+ return bare_result
def callObject(self, request, ob):
checker = selectChecker(ob)
More information about the Checkins
mailing list