[Zope3-dev] Bug in checkPermission (was: Permissions for 'zmi_views'
menu)
Dmitry Vasiliev
lists at hlabs.spb.ru
Fri Jul 23 06:58:12 EDT 2004
Dmitry Vasiliev wrote:
> Hi, All!
>
> It seems like 'zmi_views' menu has been broken for some services.
>
> For example '/++etc++site/default/ErrorLogging/@@index.html' show only
> 'Registration', 'Metadata', 'Introspector' menu items for me. If I
> change permission="zope.Public" to permissions="zope.View" (file
> src/zope/app/errorservice/browser/configure.zcml, line 23) then I see 5
> menu items (like some time before): 'Errors', 'Configure',
> 'Registration', 'Metadata', 'Introspector'.
>
> Should I change 'zope.Public' to 'zope.View' for all such services (for
> example: errorservice, cache...)? Maybe there is something wrong with
> permissions?
>
With the following patch I was try to access
/++etc++site/default/ErrorLogging/@@errorRedirect.html ...
-------------------------------------------------------------------
Index: src/zope/security/management.py
===================================================================
--- src/zope/security/management.py (revision 26693)
+++ src/zope/security/management.py (working copy)
@@ -104,6 +104,8 @@
def restoreInteraction():
thread_local.interaction = thread_local.previous_interaction
+from zope.security.checker import CheckerPublic
+
def checkPermission(permission, object, interaction=None):
"""Return whether security policy allows permission on object.
@@ -117,9 +119,12 @@
checkPermission is guaranteed to return True if permission is
CheckerPublic or None.
"""
+ print "PERM", permission, permission is CheckerPublic, object,
interaction
if interaction is None:
interaction = thread_local.interaction
- return interaction.checkPermission(permission, object)
+ p = interaction.checkPermission(permission, object)
+ print "PASS?", p
+ return p
addCleanUp(endInteraction)
--------------------------------------------------------------------
...and get the following output:
--------------------------------------------------------------------
PERM Global(CheckerPublic,zope.security.checker) True
<zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
PASS? False
PERM Global(CheckerPublic,zope.security.checker) True
<zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
PASS? False
PERM zope.ManageServices False
<zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
PASS? True
... skipped ...
---------------------------------------------------------------------
If "checkPermission is guaranteed to return True if permission is
CheckerPublic or None" why we just can't do:
if permission is CheckerPublic or permission is None:
return True
in zope.security.management.checkPermission?
--
Dmitry Vasiliev (dima at hlabs.spb.ru)
http://hlabs.spb.ru
More information about the Zope3-dev
mailing list