[Zope3-dev] Bug in checkPermission
Jim Fulton
jim at zope.com
Fri Jul 23 10:45:12 EDT 2004
Dmitry Vasiliev wrote:
> Dmitry Vasiliev wrote:
>
>> Hi, All!
>>
>> It seems like 'zmi_views' menu has been broken for some services.
>>
>> For example '/++etc++site/default/ErrorLogging/@@index.html' show only
>> 'Registration', 'Metadata', 'Introspector' menu items for me. If I
>> change permission="zope.Public" to permissions="zope.View" (file
>> src/zope/app/errorservice/browser/configure.zcml, line 23) then I see
>> 5 menu items (like some time before): 'Errors', 'Configure',
>> 'Registration', 'Metadata', 'Introspector'.
>>
>> Should I change 'zope.Public' to 'zope.View' for all such services
>> (for example: errorservice, cache...)? Maybe there is something wrong
>> with permissions?
>>
>
> With the following patch I was try to access
> /++etc++site/default/ErrorLogging/@@errorRedirect.html ...
>
> -------------------------------------------------------------------
>
> Index: src/zope/security/management.py
> ===================================================================
> --- src/zope/security/management.py (revision 26693)
> +++ src/zope/security/management.py (working copy)
> @@ -104,6 +104,8 @@
> def restoreInteraction():
> thread_local.interaction = thread_local.previous_interaction
>
> +from zope.security.checker import CheckerPublic
> +
> def checkPermission(permission, object, interaction=None):
> """Return whether security policy allows permission on object.
>
> @@ -117,9 +119,12 @@
> checkPermission is guaranteed to return True if permission is
> CheckerPublic or None.
> """
> + print "PERM", permission, permission is CheckerPublic, object,
> interaction
> if interaction is None:
> interaction = thread_local.interaction
> - return interaction.checkPermission(permission, object)
> + p = interaction.checkPermission(permission, object)
> + print "PASS?", p
> + return p
>
> addCleanUp(endInteraction)
>
> --------------------------------------------------------------------
>
> ...and get the following output:
>
> --------------------------------------------------------------------
>
> PERM Global(CheckerPublic,zope.security.checker) True
> <zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
> PASS? False
> PERM Global(CheckerPublic,zope.security.checker) True
> <zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
> PASS? False
> PERM zope.ManageServices False
> <zope.app.errorservice.RootErrorReportingService object at 0xcf2aac> None
> PASS? True
>
> ... skipped ...
> ---------------------------------------------------------------------
>
> If "checkPermission is guaranteed to return True if permission is
> CheckerPublic or None" why we just can't do:
>
> if permission is CheckerPublic or permission is None:
> return True
>
> in zope.security.management.checkPermission?
Sigh.
That's right. I just broke this the other day. I missed the last part of the
doc string and removed the code that checked for CheckerPublic or None.
This didn't break any tests.
Wanna add this back with a test?
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-dev
mailing list