[Zope3-dev] Bug in checkPermission

Jim Fulton jim at zope.com
Fri Jul 23 10:45:12 EDT 2004 

Dmitry Vasiliev wrote:
> Dmitry Vasiliev wrote:
> 
>> Hi, All!
>>
>> It seems like 'zmi_views' menu has been broken for some services.
>>
>> For example '/++etc++site/default/ErrorLogging/@@index.html' show only 
>> 'Registration', 'Metadata', 'Introspector' menu items for me. If I 
>> change permission="zope.Public" to permissions="zope.View" (file 
>> src/zope/app/errorservice/browser/configure.zcml, line 23) then I see 
>> 5 menu items (like some time before): 'Errors', 'Configure', 
>> 'Registration', 'Metadata', 'Introspector'.
>>
>> Should I change 'zope.Public' to 'zope.View' for all such services 
>> (for example: errorservice, cache...)? Maybe there is something wrong 
>> with permissions?
>>
> 
> With the following patch I was try to access 
> /++etc++site/default/ErrorLogging/@@errorRedirect.html ...
> 
> -------------------------------------------------------------------
> 
> Index: src/zope/security/management.py
> ===================================================================
> --- src/zope/security/management.py     (revision 26693)
> +++ src/zope/security/management.py     (working copy)
> @@ -104,6 +104,8 @@
>  def restoreInteraction():
>      thread_local.interaction = thread_local.previous_interaction
> 
> +from zope.security.checker import CheckerPublic
> +
>  def checkPermission(permission, object, interaction=None):
>      """Return whether security policy allows permission on object.
> 
> @@ -117,9 +119,12 @@
>      checkPermission is guaranteed to return True if permission is
>      CheckerPublic or None.
>      """
> +    print "PERM", permission, permission is CheckerPublic, object, 
> interaction
>      if interaction is None:
>          interaction = thread_local.interaction
> -    return interaction.checkPermission(permission, object)
> +    p = interaction.checkPermission(permission, object)
> +    print "PASS?", p
> +    return p
> 
>  addCleanUp(endInteraction)
> 
> --------------------------------------------------------------------
> 
> ...and get the following output:
> 
> --------------------------------------------------------------------
> 
> PERM Global(CheckerPublic,zope.security.checker) True 
> <zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
> PASS? False
> PERM Global(CheckerPublic,zope.security.checker) True 
> <zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
> PASS? False
> PERM zope.ManageServices False 
> <zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
> PASS? True
> 
> ... skipped ...
> ---------------------------------------------------------------------
> 
> If "checkPermission is guaranteed to return True if permission is 
> CheckerPublic or None" why we just can't do:
> 
> if permission is CheckerPublic or permission is None:
>     return True
> 
> in zope.security.management.checkPermission?

Sigh.

That's right.  I just broke this the other day.  I missed the last part of the
doc string and removed the code that checked for CheckerPublic or None.
This didn't break any tests.

Wanna add this back with a test?

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope3-dev mailing list