[Zope3-dev] queryAdapter via __conform__

[Dominik Huber]

Jim Fulton wrote:
> 
> Dominik Huber wrote:
> > If queryAdapter is called by a view, the result is an unproxied 
> adapted object.
> 
> Well, if the object being adaptged is proxied, then queryAdapter will
> either return the object itself, which would be proxied, or it 
> would return
> an adapter of the proxied object, in which case you have an adapter
> of a proxy, and the underlying object is protected.

I comprehend this the same way.

> > If __conform__ is invoked during this call, the resulting 
> adapted object is proxied.
> 
> If you are getting a proxy from __conform__, then the underlying object
> was proxied and the resulting adapter should be proxied.

That is the fact I observed too.

> > I would suggest to extend queryAdapter by a removeAllProxies to 
> provid a consistent behavior. Thus for example 
> > the __conform__ mechansim could also used in the widget 
> framework (editview).
> 
> No.
> 
> > I will checking this changes if nobody has objections.
> 
> I object. Don't check this change in.
> Such a change would cause __conform__ to be a security hole.
> 
> Why is a security-proxied adapter a problem?

I'm not against security-proxied adapters but then all adapters should be security-proxied if possible. My sole objection was that the current implementation does not provide a consistent way. IMO the invocation via __coform__ should provide an alternative (similar) way to adapted an object.

I ignored the securtiy aspect (B.3), exuse me, but the the only consistent way without security concerns would be to security-proxy all adapters (via global and conform invocation B.2 and B.4). This conclusion bases on two scenarios: a sample adapter that references a proxied object (A) and a sample adapter that references an unproxied object (B).

IMO already the current implementation could cause the same security hole if sombody stores a unproxied reference to the object inside the adapter (B.1).

A: sample adapter with s._object reference to the proxied object
----------------------------------------------------------------

1. via global lookup (current implementation): adapted isProxy: False, object isProxy: True
*2. via global lookup (security-proxied adapter): adapted isProxy: True, object isProxy: True
3. via conform lookup (incl. removeProxies): adapted isProxy: False, object isProxy: False
4. via conform lookup (excl. removeProxies): adapted isProxy: True, object isProxy: True

B: sample adapter with s._object reference to the unproxied object
------------------------------------------------------------------

1. via global lookup (current implementation): adapted isProxy: False, object isProxy: False
*2. via global lookup (security-proxied adapter): adapted isProxy: True, object isProxy: True
3. via conform lookup (incl. removeProxies): adapted isProxy: False, object isProxy: False
4. via conform lookup (excl. removeProxies): adapted isProxy: True, object isProxy: True

*hypothetical

regards,
dominik