[Zope] Security Problems?
Wed, 9 May 2001 10:41:18 -0400
Defining classes in external methods is... an interesting experience. I
don't recommend it. It gets tricky because the file that external methods
are defined in isn't actually a Python module, so interpreting the behavior
That said, the security chapter of the developer's guide goes in to this a
little (http://www.zope.org/Documentation/ZDG/Security.dtml). The problem
is that the instances you're putting in the array don't have any security
declarations, therefore access to them is denied (raising the unauthorized).
The fix for this is to add security declarations to the class, e.g
from AccessControl import ClassSecurityInfo
from Globals import InitializeClass
security = ClassSecurityInfo()
for a in range(1,10):
inst = c(a)
if not hasattr(
InitializeClass(c) # its dumb to do this every time.
If this doesn't work for some reason (setDefaultAccess was broken in at
least one Zope release), try to define the class c like so:
__allow_access_to_unprotected_subobjects__ = 1
----- Original Message -----
From: Phil Harris
Sent: Wednesday, May 09, 2001 10:08 AM
Subject: [Zope] Security Problems?
I've got a sneaking suspicion that there are some security problems in Zope
I've been trying to make a simple testcase and would like other (better)
minds than mine to look at it.
I have an external method which looks like:
for a in range(1,10):
The class 'c' is a very simple class, it has no methods and only two
attributes/properties 'score' and 'test'.
The external method 't' is also very simple, it just returns an array of
The dtml-method I'm using to access this array is as follows:
Nothing earth shattering there either.
BUT, I get an unauthorized error raised with this traceback whenever I run
(note that a authentication login box is presented but NO user name is able
Traceback (innermost last):
File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in
File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish
File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish
File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply
File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in
File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__
File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in
File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in
File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in eval
File <string>, line 0, in ?
File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in
File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate
File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in
File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168,
All of this is run on a bog standard install of Zope 2.3.2 with no other
products installed, no security changes done, REALLY bog standard.
Anyone got any ideas?
Cos this is doin my f'in ed in man?!?!?!?!?!?