[Zope] weird, zpt security problem?

Phil Harris phil@harris-family.info
Sat, 6 Apr 2002 00:31:44 +0100


To sum up:

If Manager is denied either of the 'Access Contents Information' or 'View'
permissions then other users will not be able to gain access to properties
of objects even when they have the correct permissions to do so.

----- Original Message -----
From: "Phil Harris" <phil@harris-family.info>
To: <zope@zope.org>
Sent: Saturday, April 06, 2002 12:28 AM
Subject: Re: [Zope] weird, zpt security problem?


> It's me again, it's not just zpt that has this 'problem', it also happens
> with DTML Methods.
>
> My first thought is does it matter, but it's an interesting one.
>
> ----- Original Message -----
> From: "Phil Harris" <phil@harris-family.info>
> To: <zope@zope.org>
> Sent: Saturday, April 06, 2002 12:24 AM
> Subject: Re: [Zope] weird, zpt security problem?
>
>
> > I'm replying to my own email 'cos I think I know what the problem is.
> >
> > If you use the scheme below to try and duplicate the problem you won't,
> BUT
> > if you turn off either one of the permissions for manager then you get
the
> > symptoms that I describe.
> >
> > OK, you'll say that manager should have those roles, and I'd agree, but
as
> > someone else siad "it's an unexpected inconsistency".
> >
> >
> > ----- Original Message -----
> > From: "Phil Harris" <phil@harris-family.info>
> > To: <zope@zope.org>
> > Sent: Friday, April 05, 2002 11:42 PM
> > Subject: [Zope] weird, zpt security problem?
> >
> >
> > > all,
> > >
> > > I have a problem and need someone to verify it for me, just so's I
know
> > I'm
> > > not going insane.
> > >
> > > Here's what I did:
> > >
> > > 1.    Create a folder in the root, call it folder1
> > > 2.    Create a new role in folder1, call it member
> > > 3.    Create a user folder within folder1, and create a user in there
> with
> > > member role
> > > 5.    create a folder within folder1, call it folder2
> > > 4.    change the security for folder2 to turn off aqcuisition for the
> > > 'Access contents information' and 'view' and explicitly turn them on
for
> > the
> > > new member role and manager
> > > 6.    create a zope page template within folder2, call it index_html
> > keeping
> > > the default content
> > >
> > > now start another browser and try and view the
> /folder1/folder2/index_html
> > > as the user you created earlier
> > >
> > > At this point I can't login with anything but a user with manager
role,
> > the
> > > member who should have enough access (and would have with a dtml
method
> in
> > > place of the zpt), can't see this page at all.
> > >
> > > The error I get back is that the user is:
> > >
> > > Error Type: Unauthorized
> > > Error Value: You are not allowed to access title in this context
> > >
> > > With a traceback like this:
> > >
> > > Traceback (innermost last):
> > >   File D:\zope25\lib\python\ZPublisher\Publish.py, line 150, in
> > > publish_module
> > >   File D:\zope25\lib\python\ZPublisher\Publish.py, line 114, in
publish
> > >   File D:\zope25\lib\python\Zope\__init__.py, line 159, in
> > > zpublisher_exception_hook
> > >     (Object: ftest2)
> > >   File D:\zope25\lib\python\ZPublisher\Publish.py, line 98, in publish
> > >   File D:\zope25\lib\python\ZPublisher\mapply.py, line 88, in mapply
> > >     (Object: index_html)
> > >   File D:\zope25\lib\python\ZPublisher\Publish.py, line 39, in
> call_object
> > >     (Object: index_html)
> > >   File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 252,
in
> > > __call__
> > >     (Object: index_html)
> > >   File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 283,
in
> > > _bindAndExec
> > >     (Object: index_html)
> > >   File D:\zope25\lib\python\Products\PageTemplates\Expressions.py,
line
> > 177,
> > > in _eval
> > >   File D:\zope25\lib\python\Products\PageTemplates\Expressions.py,
line
> > 134,
> > > in _eval
> > >     (Info: template)
> > >   File D:\zope25\lib\python\Products\PageTemplates\Expressions.py,
line
> > 327,
> > > in restrictedTraverse
> > >     (Object: index_html)
> > >     (Info: {'path': ['title'], 'TraversalRequestNameStack': []})
> > >   File D:\zope25\lib\python\Products\PageTemplates\Expressions.py,
line
> > 345,
> > > in validate2
> > >     (Object: index_html)
> > >   File D:\zope25\lib\python\AccessControl\SecurityManager.py, line 83,
> in
> > > validate
> > >   File D:\zope25\lib\python\AccessControl\ZopeSecurityPolicy.py, line
> 177,
> > > in validate
> > > Unauthorized: (see above)
> > >
> > > Does anyone else see this, am I doing something wrong, is it a bug, or
> am
> > I
> > > completely insane?
> > >
> > > I'd appreciate any reports sent either to me direct or to the list.
> > >
> > > tia
> > >
> > > ps.
> > >     reporting on my sanity will get you no brownie points whatsoever
;)
> > >
> > >
> > > Phil
> > >
> > >
> > >
> > > _______________________________________________
> > > Zope maillist  -  Zope@zope.org
> > > http://lists.zope.org/mailman/listinfo/zope
> > > **   No cross posts or HTML encoding!  **
> > > (Related lists -
> > >  http://lists.zope.org/mailman/listinfo/zope-announce
> > >  http://lists.zope.org/mailman/listinfo/zope-dev )
> >
> >
> >
> > _______________________________________________
> > Zope maillist  -  Zope@zope.org
> > http://lists.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://lists.zope.org/mailman/listinfo/zope-announce
> >  http://lists.zope.org/mailman/listinfo/zope-dev )
>
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )