[Zope3-dev] security problems with database adapters (second edition)

Dmitry Vasiliev lists at hlabs.spb.ru
Mon Aug 29 07:16:46 EDT 2005 

Velko Ivanov wrote:
> Hello,
> 
> My problems on this subject didn't get resolved since my last post, but 
> I have some new info and questions -
> 
> The sympthoms (Zope 3.1.0c1):
> Database adapters are not usable by principals other than the 
> zope.Manager, in the principals.zcml file. Any other principal is 
> unauthenticated - I tried principals.zcml regular user with 
> zope.ManageContent, zope.UseDatabaseConnections and zope.View granted, 
> pluggable authentication user with the zope.Manager role granted, and 
> finally - principals.zcml regular user with zope.Manager role.
> All principals are able to see and manage the connection object, but 
> can't retrieve results. This is tested and true for both psycopg and 
> Gadfly database adapters.
> 
> This is the exception I get when trying to use SQL script:
>     *  Module zope.app.sqlscript.browser.sqlscript, line 39, in 
> getArguments
>       for argname, argvalue in self.context.getArguments().items():
> 
> Unauthorized: (<zope.app.sqlscript.sqlscript.Arguments object at 
> 0xa03e86c>, 'items', 'zope.ManageContent')
> 
> This is the excpetion from the test page of the connection object (in 
> /++etc++site/tools) when I use principal with zope.Manager granted:
>     *  Module zope.app.rdb, line 372, in queryForResults
>       cursor = conn.cursor()
> 
> Unauthorized: (<zope.app.rdb.ZopeConnection object at 0xad11c2c>, 
> 'cursor', 'zope.ManageContent')

Hmm... Database adapter working just fine for me.

> Looking at the code, the ZopeConnection object is created by the 
> ZopeDatabaseAdapter class in zope.app.rdb (inherited by the actual 
> DatabaseAdapter) with a simple call -                                
> self._v_connection = ZopeConnection(self._connection_factory(), self)
> and the ZopeConnection class does not have anything, that deals with 
> security, as far as I can see.

See zope/app/rdb/configure.zcml for security declarations.

> My question is, does this eventually mean, that ZopeConnection objects, 
> which are created at run-time, are not security proxied and consequently 
> unauthorized in all cases (except the system_user) and if yes, what 
> should be done? I'm not familiar with the Zope3 environment and I don't 
> know how and where objects get proxied.
> Or is there something I'm missing here ?

Can you repeat all this experiments on clean Z3 setup (without any additional 
components and without your old Data.fs file, check also for all possibly 
conflicting modules on the PYTHONPATH)?

-- 
Dmitry Vasiliev (dima at hlabs.spb.ru)
     http://hlabs.spb.ru

More information about the Zope3-dev mailing list