[Zope] Nasty subtle security bug - Me Too

Shane Hathaway shane@digicool.com
Tue, 26 Sep 2000 14:24:45 -0400 (EDT) 

On Tue, 26 Sep 2000, Martijn Faassen wrote:

> Shane Hathaway wrote:
> > Martijn Faassen wrote:
> > > General problem description:
> > > 
> > >   For a ZClass instance/external methods that is only viewable by
> > >   users with a particular role, the view operation fails if that role
> > >   is only added to a user in a place deeper in the folder tree than the
> > >   folder where the External Method/ZClass instance was defined. This
> > >   occurs when the 'view' is occuring in the acquisition context of the
> > >   folder.
> > > 
> > >   It succeeds if the role is added to the user in a folder higher in the
> > >   tree, at or above the folder where the external method or ZClass instance
> > >   is defined.
> > 
> > This sounds 100% correct.  When checking security, acquisition context
> > is ignored.  What matters is *containment* (which is also accessed
> > through the acquisition machinery, but in a special way: aq_inner).  A
> > user can only access objects that are defined in a container where the
> > user is granted access.
> 
> How come it does work with DTML methods then?
> 
> I can access a DTML method 'foo' defined in the root folder that is
> only accessible with role A, even if role A is only added to me in
> a subfolder (from this subfolder).

Let's say I'm user Joe and I have a role "Employee" that allows me certain
functions throughout the site.  A role "DepartmentManager" is also
available, but I only have that role where it is given to me as a local
role in the "accounting" folder.

Let's say there's another folder on the site called "hr", for human
resources.  If security were context-dependent rather than
containment-dependent then I could just access

http://www.somesite.com/intranet/accounting/intranet/hr/manage

and I'd have "DepartmentManager" privileges in the "hr" folder.  Oops!  
(Note that there is only one "intranet" folder.  This URL uses acquisition
trickery.)

(More info in my reply to your next message...)

> Note that this policy does make acquisition rather useless for delegating
> of responsibility, unless you're either using DTML only, or are coding for
> anonymous only.

Tell us what kind of security you're trying to set up, and we can probably
help you find the right way to do it.

Shane