[Zope3-dev] security problems with database adapters (second edition)

Velko Ivanov dachev at nove.bg
Fri Aug 26 11:51:15 EDT 2005 

Hello,

My problems on this subject didn't get resolved since my last post, but 
I have some new info and questions -

The sympthoms (Zope 3.1.0c1):
Database adapters are not usable by principals other than the 
zope.Manager, in the principals.zcml file. Any other principal is 
unauthenticated - I tried principals.zcml regular user with 
zope.ManageContent, zope.UseDatabaseConnections and zope.View granted, 
pluggable authentication user with the zope.Manager role granted, and 
finally - principals.zcml regular user with zope.Manager role.
All principals are able to see and manage the connection object, but 
can't retrieve results. This is tested and true for both psycopg and 
Gadfly database adapters.

This is the exception I get when trying to use SQL script:
     *  Module zope.app.sqlscript.browser.sqlscript, line 39, in 
getArguments
       for argname, argvalue in self.context.getArguments().items():

Unauthorized: (<zope.app.sqlscript.sqlscript.Arguments object at 
0xa03e86c>, 'items', 'zope.ManageContent')

This is the excpetion from the test page of the connection object (in 
/++etc++site/tools) when I use principal with zope.Manager granted:
     *  Module zope.app.rdb, line 372, in queryForResults
       cursor = conn.cursor()

Unauthorized: (<zope.app.rdb.ZopeConnection object at 0xad11c2c>, 
'cursor', 'zope.ManageContent')


Looking at the code, the ZopeConnection object is created by the 
ZopeDatabaseAdapter class in zope.app.rdb (inherited by the actual 
DatabaseAdapter) with a simple call -  						      self._v_connection = 
ZopeConnection(self._connection_factory(), self)
and the ZopeConnection class does not have anything, that deals with 
security, as far as I can see.

My question is, does this eventually mean, that ZopeConnection objects, 
which are created at run-time, are not security proxied and consequently 
unauthorized in all cases (except the system_user) and if yes, what 
should be done? I'm not familiar with the Zope3 environment and I don't 
know how and where objects get proxied.
Or is there something I'm missing here ?


Regards,
Velko Ivanov

More information about the Zope3-dev mailing list