[Zope-dev] Re: security problem in an monkey-patch

Tres Seaver tseaver at palladion.com
Wed Sep 19 10:16:37 EDT 2007

Hash: SHA1

Joachim Schmitz wrote:
> Hi,
> I have monkey-patched the QueueCatalog to adopt it to our needs, which 
> works fine. I now wanted to introduce a new feature:
> The QueueCatalog should be bypassed during mass-import of data.
> So I introduced a new variable "_bypass", and new getBypassQueue() and 
> setBypassQueue methods in the monkey-patch:
> security.declareProtected(view_management_screens, 'getBypassQueue')
> def getBypassQueue(self):
>      "get _by_pass"
>      if not hasattr(self,"_bypass"):
>          self._bypass = False
>      return self._bypass

I would write this as:

   return getattr(self, '_bypass', False)

avoiding both write-on-read and hasattr in one fell swoop.

> security.declareProtected(view_management_screens, 'setBypassQueue')
> def setBypassQueue(self, bypass=False):
>      "set _bypass"
>      self._bypass = bypass
> from Products.QueueCatalog.QueueCatalog import QueueCatalog
> QueueCatalog.getBypassQueue = getBypassQueue
> QueueCatalog.setBypassQueue = setBypassQueue
> I can invoke these methods from the url like:
> ../portal_catalog/setBypassQueue?bypass=1
> and
> ../portal_catalog/getBypassQueue
> displays a 1
> But when I do a:
> <input type="checkbox" name="enable_bypass"
> 	               tal:attributes="checked
> 		       here/portal_catalog/getBypassQueue" />
> I get:
> Unauthorized: The container has no security assertions.  Access to 
> 'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.
> What I am missing here.

You need to supply security assertions for the new method you have adeed
to the class (your security assertions are being "left behind" in the
context where you defined the function)..  Likely you can add another
attribute to the class, 'getBypassQueue__roles__', with the value being
a tuple, ('Manager',)  (unless you want to figure out how to create a
PermissionRoles object yourself).

- --
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Zope-Dev mailing list