[Zope-dev] 2.7 branch: attribute permission problems

Chris McDonough chrism at plope.com
Tue Sep 21 10:40:29 EDT 2004 

Richard,

Would you be able to write a short test case that demonstrates the
failure mode that you're seeing in your existing code?  It would be nice
to understand the failure before blindly reenabling the old behavior
because it really is DWIM.

Thanks!

- C


On Tue, 2004-09-14 at 21:18, Richard Jones wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> [might dupe - sent the first copy of this from the wrong address, sorry!]
> 
> I've just upgraded to use the bleeding-edge 2-7 branch (from 2.7.2, running in
> py 2.3.3) and I've started getting permission problems with attributes. The
> cause appears to be acquired attributes. With VerboseSecurity installed
> (note: behaviour not dependent on VS - I checked), I get told:
> 
>  Error Type: Unauthorized
>  Error Value: The container has no security assertions. Access to 'secure_url'
>    of (CG Conference Proposals proposals at 0x41387b40) denied.
> 
> The "secure_url" attribute is defined at a much higher object, where we have a
> declaration including:
> 
>     security.setDefaultAccess({'secure_url': 1})
> 
> On the "proposals" object though, we don't have any delaration for the
> "secure_url" attribute. If I add one, or a general
> security.setDefaultAccess("allow"), then the error goes away. This doesn't
> seem correct to me.
> 
> The relevant change in CVS appears to be:
> 
> *** ../../../../Zope-2.7.2/lib/python/AccessControl/ImplPython.py 2004-02-10
> 17:46:02.000000000 +1100
> - --- AccessControl/ImplPython.py 2004-09-15 09:59:41.617423171 +1000
> ***************
> *** 551,560 ****
>               return v
> 
>           validate = SecurityManagement.getSecurityManager().validate
> - -         # Filter out the objects we can't access.
> - -         if hasattr(inst, 'aq_acquire'):
> - -             return inst.aq_acquire(name, aq_validate, validate)
> - -         # Or just try to get the attribute directly.
>           if validate(inst, inst, name, v):
>               return v
>       raise Unauthorized, name
> - --- 551,556 ----
> 
> The change note being "- Removed DWIM'y attempt to filter
> acquired-but-not-aceessible results from 'guarded_getattr'." and I'm not sure
> what that means :)
> 
> 
>     Richard
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFBR5hnrGisBEHG6TARAuucAJ42D8pU6kuPQ+mBwadqJq8uQbG12gCggN2u
> AzBBhs5eCekTdl6bYtyBrCk=
> =aUXn
> -----END PGP SIGNATURE-----
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev at zope.org
> http://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope )
>

More information about the Zope-Dev mailing list