[Zope] Security?

Goldthwaite, Joe joe at goldthwaites.com
Mon Dec 1 17:24:47 EST 2003 

Well, it didn't work.  As soon as I tried to create a loop and access the
.desc property of the ISLine objects, I got this message;

Error Type: Unauthorized
Error Value: You are not allowed to access desc in this context

I guess I don't understand how or why I'm hitting this.  I've already run
the module that does the dangerous thing - accessing the database.  All I'm
getting back is a list of objects but I can't even reference the desc
attribute which is just a string.  I'd like to just disable the security
stuff until I get things working.  I don't really have time to fight with it
right now.  When I do put it in, it will be based on the SQL server security
not on Zope's.

I went to the developer guide and tried their example.  I put this at the
top;

from AccessControl import ClassSecurityInfo

After the class definition line before the first (__init__) function, I put
these lines;

security = ClassSecurityInfo()
security.declarePublic('DefLines')

I saved and reloaded everything but I still get the logon dialog.  I must be
close but it's just not working.  I really don't understand.  The work is
done. All I'm trying to do is access the resulting data in the ZPT.  Here
are the offending lines;

<tr tal:repeat="item here/GetISLines"> # The GetISLines is an external
module that returns a list
  <td tal:content=item/desc">desc</td> # this should display the line
description for each line
</tr>

That's it but for some unknown security reason, it blows up.

P.S.  I've also gone through my three other Zope books but haven't been able
to find the answer.  I don't mean to complain but it seems every time I
think I've got it, I get whacked.  I really do appreciate the help though
:).


-----Original Message-----
From: zope-bounces at zope.org [mailto:zope-bounces at zope.org]On Behalf Of
Goldthwaite, Joe
Sent: Monday, December 01, 2003 2:39 PM
To: zope at zope.org
Subject: RE: [Zope] Security?


Thanks Casey,

The DefLines attribute of the ISLines object was a simple list.  I changed
the return from "return c" to "return c.DefLines" and then modified this;

 <p tal:replace="python:len(here.GetISLines().DefLines)"></p>

to this;

 <p tal:replace="python:len(here.GetISLines())"></p>

And it returned I got my 75 line count in the Income Statement.  I'll try
creating a loop that displays the lines on the page.  I had gone through the
developer guide chapter on security but it's not making much sense yet.  I'm
going to see if I can access my line objects and I'll revisit the assertions
if it doesn't work.  (The line object has a method that returns a year to
date number and I suspect I'll get the unauthorized method when I try to
access it).

Thanks again - and thanks to everyone else who answered with help.


-----Original Message-----
From: Casey Duncan [mailto:casey at zope.com]
Sent: Monday, December 01, 2003 2:13 PM
To: joe at goldthwaites.com
Cc: zope at zope.org
Subject: Re: [Zope] Security?


These Unauthorized errors (login boxes) are caused by trying to access
objects from untrusted code that do not have any Zope security assertions on
them.

TTW code (Python Scripts, DTML and Page Templates), including skins on the
file system exposed through FS directory views, are untrusted code. They
execute using a restricted Python interpreter which prevents access to
arbitrary Python objects and modules that might represent a security hole
(and allow you to compromise the server).

There are two solutions to your problem:

1. Use trusted code, which includes external methods and zope product
modules and have them return simple types (strings, ints, etc) or simple
containers (lists, dicts, tuples) containing simple types up to the template
that is renderign the page. Simple types are deemed safe for untrusted code
by default (along with some others, like DateTime objects).

2. Put security assertions on the objects used by untrusted code. This
usually requires you to subclass the objects, but not always. See the Zope
developers guide for details.

In most cases #1 is sufficient unless there are many places where it is
desireable for untrusted code to have access to the objects directly in
which case use #2.

hth,

-Casey

On Mon, 1 Dec 2003 13:45:01 -0700
"Goldthwaite, Joe" <joe at goldthwaites.com> wrote:

> Well, I don't know if it's progress but I think my questions are getting
> more specific.
>
> I downloaded the mx.ODBC routines for Python 2.1.3.  I can now start the
> python interpreter in the WebSite\bin directory and type "import mx.ODBC"
> without getting an error.
>
> I next tried to create a limited python script;
>
> from Products.EIS import ISLines
> c = ISLines()
> return "c"
>
> I'm just returning the literal "c" on purpose because my page template
can't
> handle the ISLines yet.  In my Income Statement ZPT I have this line;
>
> <p tal:replace="python:here.IncomeStatementScript()"></p>
>
> When I try to display the ZPT, I get the Zope logon dialog box.  I only
have
> one login and it doesn't' work so I just hit cancel and get "Your are not
> allowed to access EIS in this context".  (I had placed the ISLines.py file
> in my Products/EIS directory.)
>
> After that, I decided to try external modules.  I added this wrapper
> function to my ISLines.py module;
>
> def GetISLines():
>    c = ISLines()
>    return "c"
>
> Again, I put the literal "c" there to make sure I was calling things
> correctly.  I moved the ISLines.py file to the Extensions directory and
> created a GetISLines external method referencing the new function in Zope
> root folder.   I tested it and got the "c" back.  Next, I put this line in
> my IncomeStatment ZPT;
>
> <p tal:replace="python:here.GetISLines()"></p>
>
> When I test it, I get the "c" back.  Interestingly, there was also pause
of
> about the amount of time it takes to run ISLines and build the Income
> Statement lines.  I thought I was almost there.  The next step was to
return
> the actual object and print out the number of lines returned.  I modified
> the 'return "c"' line to 'return c'.  Now when I run it, I get "<? ISLines
> instance at 014879EC>" so I know I'm now returning my object.  Finally I
try
> to reference my list if lines by printing the length like this;
>
> <p tal:replace="python:len(here.GetISLines().DefLines)"></p>
>
> Deflines is a list of income statement line objects. I go to refresh and I
> get the Logon dialog again!  #$%@ &@#% &^@$!!!!  Sorry, I don't usually
use
> that kind of language but I seem to be shooting at the wrong target. It's
no
> wonder I can't hit anything.
>
>
>
>
>
>
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )


_______________________________________________
Zope maillist  -  Zope at zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

More information about the Zope mailing list