[Checkins] SVN: grok/branches/0.14/ Port security fix to 0.14 branch.

Martijn Faassen faassen at infrae.com
Fri Dec 12 09:20:15 EST 2008 

Log message for revision 93961:
  Port security fix to 0.14 branch.
  

Changed:
  U   grok/branches/0.14/CHANGES.txt
  A   grok/branches/0.14/src/grok/ftests/security/preserve_permissions.py
  A   grok/branches/0.14/src/grok/ftests/security/static/
  A   grok/branches/0.14/src/grok/ftests/security/static/textfile.txt
  U   grok/branches/0.14/src/grok/publication.py

-=-
Modified: grok/branches/0.14/CHANGES.txt
===================================================================
--- grok/branches/0.14/CHANGES.txt	2008-12-12 14:17:56 UTC (rev 93960)
+++ grok/branches/0.14/CHANGES.txt	2008-12-12 14:20:15 UTC (rev 93961)
@@ -4,7 +4,11 @@
 0.14.1 (unreleased)
 ===================
 
+Bug fixes
+---------
 
+* Close a bad security hole.
+
 0.14 (2008-09-29)
 =================
 

Added: grok/branches/0.14/src/grok/ftests/security/preserve_permissions.py
===================================================================
--- grok/branches/0.14/src/grok/ftests/security/preserve_permissions.py	                        (rev 0)
+++ grok/branches/0.14/src/grok/ftests/security/preserve_permissions.py	2008-12-12 14:20:15 UTC (rev 93961)
@@ -0,0 +1,85 @@
+"""
+
+Permissions already set by non-grok components are preserved by the
+Grok publisher.
+
+The `@@contents.html` view of folders is protected by
+`zope.ManageContent` and should not be visible to unauthenticated
+users. Instead we are asked to authenticate ourselves::
+
+  >>> print http(r'''
+  ... GET /@@contents.html HTTP/1.1
+  ... ''')
+  HTTP/1.1 401 Unauthorized
+  ...
+  WWW-Authenticate: basic realm="Zope"
+  ...
+
+However, if we make a grant, e.g. on the root object, we can access
+the view just fine:
+
+  >>> from zope.securitypolicy.interfaces import IPrincipalPermissionManager
+  >>> root = getRootFolder()
+  >>> root_perms = IPrincipalPermissionManager(root)
+  >>> root_perms.grantPermissionToPrincipal('zope.ManageContent',
+  ...                                       'zope.anybody')
+  >>> print http(r'''
+  ... GET /@@contents.html HTTP/1.1
+  ... ''')
+  HTTP/1.1 200 Ok
+  ...
+
+But we can still access Grok views not explicitly protected. We create
+an application and add it to the database::
+
+  >>> grok.testing.grok(__name__)
+  >>> from grok.ftests.security.preserve_permissions import App
+  >>> root = getRootFolder()
+  >>> root['app'] = App()
+
+The default view is accessible::
+  
+  >>> from zope.testbrowser.testing import Browser
+  >>> browser = Browser()
+  >>> browser.open('http://localhost/app')
+  >>> print browser.contents
+  Moo!
+
+While the manage view is locked::
+
+  >>> browser.open('http://localhost/app/@@manage')
+  Traceback (most recent call last):
+  ...
+  httperror_seek_wrapper: HTTP Error 401: Unauthorized
+
+We have some static resources defined in a local `static` directory,
+which we can access unauthenticated::
+
+  >>> browser.open('http://localhost/@@/grok.ftests.security/textfile.txt')
+  >>> print browser.contents
+  Just a test.
+
+When we authenticate, everything works fine::
+
+  >>> browser.addHeader('Authorization', 'Basic mgr:mgrpw')
+  >>> browser.open('http://localhost/app/@@manage')
+  >>> print browser.contents
+  Woo!
+  
+"""
+import grok
+
+class ManageApp(grok.Permission):
+    grok.name('app.Manage')
+
+class App(grok.Application, grok.Container):
+    pass
+
+class Index(grok.View):
+    def render(self):
+        return 'Moo!'
+
+class Manage(grok.View):
+    grok.require('app.Manage')
+    def render(self):
+        return 'Woo!'

Added: grok/branches/0.14/src/grok/ftests/security/static/textfile.txt
===================================================================
--- grok/branches/0.14/src/grok/ftests/security/static/textfile.txt	                        (rev 0)
+++ grok/branches/0.14/src/grok/ftests/security/static/textfile.txt	2008-12-12 14:20:15 UTC (rev 93961)
@@ -0,0 +1 @@
+Just a test.

Modified: grok/branches/0.14/src/grok/publication.py
===================================================================
--- grok/branches/0.14/src/grok/publication.py	2008-12-12 14:17:56 UTC (rev 93960)
+++ grok/branches/0.14/src/grok/publication.py	2008-12-12 14:20:15 UTC (rev 93961)
@@ -21,11 +21,15 @@
 from zope.security.checker import selectChecker
 from zope.publisher.publish import mapply
 
+from zope.publisher.interfaces.browser import IBrowserView
+
 from zope.app.publication.http import BaseHTTPPublication, HTTPPublication
 from zope.app.publication.browser import BrowserPublication
 from zope.app.publication.requestpublicationfactories import \
      BrowserFactory, XMLRPCFactory, HTTPFactory
 from zope.app.http.interfaces import IHTTPException
+from grokcore.view import View as GrokView
+from grok.components import JSON
 
 class ZopePublicationSansProxy(object):
 
@@ -36,7 +40,14 @@
     def traverseName(self, request, ob, name):
         result = super(ZopePublicationSansProxy, self).traverseName(
             request, ob, name)
-        return removeSecurityProxy(result)
+        bare_result = removeSecurityProxy(result)
+        if IBrowserView.providedBy(bare_result):
+            if isinstance(bare_result, (GrokView, JSON)):
+                return bare_result
+            else:
+                return result
+        else:
+            return bare_result
 
     def callObject(self, request, ob):
         checker = selectChecker(ob)

More information about the Checkins mailing list