[Zope] Security Assertions

Godefroid Chapelle gotcha@swing.be
Thu, 17 Jan 2002 14:10:21 +0100


At 18:43 16/01/2002, you wrote:

Sorry about cross-posting but I think the following info is worth reading 
for both zope-users and developers.


>Note that up until Zope 2.5.0b4 there is a bug in the way module security 
>assertions are handled that makes it impossible to declare more than one 
>assertion without overwriting a previous assertion.  It's not really a 
>"security hole", it's just annoying and clearly broken.  I'd suggest that 
>you complain about this (or do it yourself) if you think a monkeypatch is 
>in order for Zope 2.3/2.4.

I went to CVS and read AccessControl.SecurityInfo.py

The code looked simple enough that I would take no risk by including it 
even if my understanding of the inner-working of Zope is still elementary.

The following patch works to correct the problem for Zope 2.3.3. It does 
not seem to cause any other problem.

# patch taken from Zope 2.5
from string import rfind  # 1.5.2 syntax

def ModuleSecurityInfo(module_name=None):
     if module_name is not None:
         modsec = _moduleSecurity.get(module_name, None)
         if modsec is not None:
             return modsec
         dot = rfind(module_name, '.') # 1.5.2 syntax
         if dot > 0:
             # If the module is in a package, recursively make sure
             # there are security declarations for the package steps
             # leading to the module
             modname = module_name[dot + 1:]
             pmodsec = ModuleSecurityInfo(module_name[:dot])
             if not pmodsec.names.has_key(modname):
                 pmodsec.declarePublic(modname)
     return _ModuleSecurityInfo(module_name)

class _ModuleSecurityInfo(SecurityInfo):
     """Encapsulate security information for modules."""


in place of

class ModuleSecurityInfo(SecurityInfo):
     """Encapsulate security information for modules."""


I do not know what you mean by a 'monkeypatch' but it is certainly worth it 
to add the patch to 2.3.x and 2.4.x branches.




>Godefroid Chapelle wrote:
>
>>  > Casey Duncan wrote:
>>  >
>>  > > So the following things don't work:
>>  > >
>>  > > from Products.Formulator.Form import FormValidationError
>>  >
>>  > Either Martijn or you need to add the following lines to a Product
>>  > __init__.py somewhere:
>>  >
>>  > from AccessControl import ModuleSecurityInfo
>>  > ModuleSecurityInfo('Products').declarePublic('Formulator')
>>  > ModuleSecurityInfo('Products.Formulator').declarePublic('Form')
>>  > 
>> ModuleSecurityInfo('Products.Formulator.Form').declarePublic('FormValidationError') 
>>
>>  >
>>  > Cheers,
>>  >
>>  > Evan @ Zope
>>
>>I added the above code in the corresponding  __init__.py on my machine.
>>Which works almost perfectly...:
>>Further, I needed to be able to import :
>>from Products.gvibDA.gvib.gvibExceptions import IntegrityError
>>
>>So I added the following code in gvibDA's __init__.py
>>from Products.PythonScripts.Utility import allow_module, allow_class
>>from AccessControl import ModuleSecurityInfo, ClassSecurityInfo
>>from Globals import InitializeClass
>>ModuleSecurityInfo('Products').declarePublic('gvibDA')
>>ModuleSecurityInfo('Products.gvibDA').declarePublic('gvib')
>>ModuleSecurityInfo('Products.gvibDA.gvib').declarePublic('gvibExceptions')
>>ModuleSecurityInfo('Products.gvibDA.gvib.gvibExceptions').declarePublic('IntegrityError') 
>>
>>from gvib.gvibExceptions import IntegrityError
>>allow_class(IntegrityError)
>>
>>I get an 'Unauthorized: Formulator' error when accessing a script 
>>beginning with
>>from Products.Formulator.Form import FormValidationError
>>from Products.gvibDA.gvib.gvibExceptions import IntegrityError
>>
>>I suppose it has something to do with the creation of two instances of 
>>ModuleSecurityInfo('Products') but have no idea how to correct the problem.
>>Any help would be appreciated.
>>
>>--
>>
>>Godefroid Chapelle
>>BubbleNet sprl
>>rue Victor Horta, 18 / 202
>>1348 Louvain-la-Neuve
>>Belgium
>>Tel + 32 (10) 459901
>>Mob + 32 (477) 363942
>>TVA 467 093 008
>>RC Niv 49849
>>
>>_______________________________________________
>>Zope maillist  -  Zope@zope.org
>>http://lists.zope.org/mailman/listinfo/zope
>>**   No cross posts or HTML encoding!  **
>>(Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
>>http://lists.zope.org/mailman/listinfo/zope-dev )
>
>

--

Godefroid Chapelle

BubbleNet sprl
rue Victor Horta, 18 / 202
1348 Louvain-la-Neuve
Belgium

Tel + 32 (10) 459901
Mob + 32 (477) 363942

TVA 467 093 008
RC Niv 49849