[Zope-dev] 2.7.3 beta attribute permission problems

Santi Camps scamps at earcon.com
Tue Oct 19 09:05:25 EDT 2004 

En/na Santi Camps ha escrit:

> En/na Richard Jones ha escrit:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 19/10/2004, at 4:33 PM, Santi Camps wrote:
>>
>>> Yes, meta_type is an attribute of type string, but I don't 
>>> understand your reasons.   Acquisition, obviously, is not 
>>> implemented in strings, but if the object containing meta_type 
>>> attribute inherits from Acquisition.Implicit it should work.  In 
>>> fact, it works for Zope 2.7.0 to 2.7.2.   The problem appears in 
>>> Zope 2.7.3, and I think that the problem is the change I mentioned 
>>> in AccessControl/cAccessControl.c and 
>>> AccessControl/ImplPython.py.     I suppose this change is for some 
>>> reasonable reason, but if it breaks security validations throught 
>>> implicit acqusition I think the change should be considered.
>>
>>
>>
>> AFAIK Tres is working on this. I was unable to produce a simple 
>> example case, but more recently Stefan Holek (I think) was. The last 
>> I saw was Tres saying "Aargh!" on the 13th, then on the 14th saying 
>> he's unable to produce good test cases.
>>
>> And that's the problem. Tres' patch removed "DWIM" code. I'm not sure 
>> what that meant (I know what DWIM stands for ;) ... and I'm unable to 
>> state exactly (in a test case) what it is that my code does that 
>> invokes the DWIM'y code.
>>
>>
>>     Richard
>
>
> Thanks very much for the information, Richard.  I think I should be 
> able to provide a good test code (all our framework crash in zope 
> 2.7.3 due to this patch).   Let's go
>
> Santi Camps
> http://www.earcon.com
>
Here you are a test case for that problem.   It's a very simple case of 
what my framework does.

How to proceed:
1) Install the product in a Zope 2.7.3 beta
2) Add an instance of meta type "AccessControl Test"
3) Try http://localhost:8080/AccessControlTest/get_sum_of_values.  It 
works fine (is a method of Test class)
4) Try http://localhost:8080/AccessControlTest/get_product_of_values.  
It also works fine  (is a method of Adapter class)
5) Try http://localhost:8080/AccessControlTest/crashing_test (is a ZPT 
trying to access previous methods).  It crashes !!
*
Error Type: Unauthorized*
*Error Value: The container has no security assertions. Access to 
'get_sum_of_values' of (Adapter instance at 40ae6ac0) denied.*

Obviously, this is not a reasonable behaviour.   If I can access those 
methods directly from an URL, I should be able to do it from a ZPT.

Doing the same on Zope 2.7.2 works fine.

I hope this help

Santi Camps
http://www.earcon.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: testAccessControl.tar.gz
Type: application/gzip
Size: 1343 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20041019/535f7dbd/testAccessControl.tar-0001.bin

More information about the Zope-Dev mailing list