[Zope-dev] Re: security problem in an monkey-patch
tseaver at palladion.com
Wed Sep 19 10:16:37 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Joachim Schmitz wrote:
> I have monkey-patched the QueueCatalog to adopt it to our needs, which
> works fine. I now wanted to introduce a new feature:
> The QueueCatalog should be bypassed during mass-import of data.
> So I introduced a new variable "_bypass", and new getBypassQueue() and
> setBypassQueue methods in the monkey-patch:
> security.declareProtected(view_management_screens, 'getBypassQueue')
> def getBypassQueue(self):
> "get _by_pass"
> if not hasattr(self,"_bypass"):
> self._bypass = False
> return self._bypass
I would write this as:
return getattr(self, '_bypass', False)
avoiding both write-on-read and hasattr in one fell swoop.
> security.declareProtected(view_management_screens, 'setBypassQueue')
> def setBypassQueue(self, bypass=False):
> "set _bypass"
> self._bypass = bypass
> from Products.QueueCatalog.QueueCatalog import QueueCatalog
> QueueCatalog.getBypassQueue = getBypassQueue
> QueueCatalog.setBypassQueue = setBypassQueue
> I can invoke these methods from the url like:
> displays a 1
> But when I do a:
> <input type="checkbox" name="enable_bypass"
> here/portal_catalog/getBypassQueue" />
> I get:
> Unauthorized: The container has no security assertions. Access to
> 'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.
> What I am missing here.
You need to supply security assertions for the new method you have adeed
to the class (your security assertions are being "left behind" in the
context where you defined the function).. Likely you can add another
attribute to the class, 'getBypassQueue__roles__', with the value being
a tuple, ('Manager',) (unless you want to figure out how to create a
PermissionRoles object yourself).
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Zope-Dev