[Zope3-dev] Bug in checkPermission (was: Permissions for 'zmi_views' menu)

Dmitry Vasiliev lists at hlabs.spb.ru
Fri Jul 23 06:58:12 EDT 2004 

Dmitry Vasiliev wrote:
> Hi, All!
> 
> It seems like 'zmi_views' menu has been broken for some services.
> 
> For example '/++etc++site/default/ErrorLogging/@@index.html' show only 
> 'Registration', 'Metadata', 'Introspector' menu items for me. If I 
> change permission="zope.Public" to permissions="zope.View" (file 
> src/zope/app/errorservice/browser/configure.zcml, line 23) then I see 5 
> menu items (like some time before): 'Errors', 'Configure', 
> 'Registration', 'Metadata', 'Introspector'.
> 
> Should I change 'zope.Public' to 'zope.View' for all such services (for 
> example: errorservice, cache...)? Maybe there is something wrong with 
> permissions?
> 

With the following patch I was try to access 
/++etc++site/default/ErrorLogging/@@errorRedirect.html ...

-------------------------------------------------------------------

Index: src/zope/security/management.py
===================================================================
--- src/zope/security/management.py     (revision 26693)
+++ src/zope/security/management.py     (working copy)
@@ -104,6 +104,8 @@
  def restoreInteraction():
      thread_local.interaction = thread_local.previous_interaction

+from zope.security.checker import CheckerPublic
+
  def checkPermission(permission, object, interaction=None):
      """Return whether security policy allows permission on object.

@@ -117,9 +119,12 @@
      checkPermission is guaranteed to return True if permission is
      CheckerPublic or None.
      """
+    print "PERM", permission, permission is CheckerPublic, object, 
interaction
      if interaction is None:
          interaction = thread_local.interaction
-    return interaction.checkPermission(permission, object)
+    p = interaction.checkPermission(permission, object)
+    print "PASS?", p
+    return p

  addCleanUp(endInteraction)

--------------------------------------------------------------------

...and get the following output:

--------------------------------------------------------------------

PERM Global(CheckerPublic,zope.security.checker) True 
<zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
PASS? False
PERM Global(CheckerPublic,zope.security.checker) True 
<zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
PASS? False
PERM zope.ManageServices False 
<zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
PASS? True

... skipped ...
---------------------------------------------------------------------

If "checkPermission is guaranteed to return True if permission is 
CheckerPublic or None" why we just can't do:

if permission is CheckerPublic or permission is None:
     return True

in zope.security.management.checkPermission?

-- 
Dmitry Vasiliev (dima at hlabs.spb.ru)
     http://hlabs.spb.ru

More information about the Zope3-dev mailing list