[Zope3-dev] security problems with database adapters (second
edition)
Dmitry Vasiliev
lists at hlabs.spb.ru
Mon Aug 29 07:16:46 EDT 2005
Velko Ivanov wrote:
> Hello,
>
> My problems on this subject didn't get resolved since my last post, but
> I have some new info and questions -
>
> The sympthoms (Zope 3.1.0c1):
> Database adapters are not usable by principals other than the
> zope.Manager, in the principals.zcml file. Any other principal is
> unauthenticated - I tried principals.zcml regular user with
> zope.ManageContent, zope.UseDatabaseConnections and zope.View granted,
> pluggable authentication user with the zope.Manager role granted, and
> finally - principals.zcml regular user with zope.Manager role.
> All principals are able to see and manage the connection object, but
> can't retrieve results. This is tested and true for both psycopg and
> Gadfly database adapters.
>
> This is the exception I get when trying to use SQL script:
> * Module zope.app.sqlscript.browser.sqlscript, line 39, in
> getArguments
> for argname, argvalue in self.context.getArguments().items():
>
> Unauthorized: (<zope.app.sqlscript.sqlscript.Arguments object at
> 0xa03e86c>, 'items', 'zope.ManageContent')
>
> This is the excpetion from the test page of the connection object (in
> /++etc++site/tools) when I use principal with zope.Manager granted:
> * Module zope.app.rdb, line 372, in queryForResults
> cursor = conn.cursor()
>
> Unauthorized: (<zope.app.rdb.ZopeConnection object at 0xad11c2c>,
> 'cursor', 'zope.ManageContent')
Hmm... Database adapter working just fine for me.
> Looking at the code, the ZopeConnection object is created by the
> ZopeDatabaseAdapter class in zope.app.rdb (inherited by the actual
> DatabaseAdapter) with a simple call -
> self._v_connection = ZopeConnection(self._connection_factory(), self)
> and the ZopeConnection class does not have anything, that deals with
> security, as far as I can see.
See zope/app/rdb/configure.zcml for security declarations.
> My question is, does this eventually mean, that ZopeConnection objects,
> which are created at run-time, are not security proxied and consequently
> unauthorized in all cases (except the system_user) and if yes, what
> should be done? I'm not familiar with the Zope3 environment and I don't
> know how and where objects get proxied.
> Or is there something I'm missing here ?
Can you repeat all this experiments on clean Z3 setup (without any additional
components and without your old Data.fs file, check also for all possibly
conflicting modules on the PYTHONPATH)?
--
Dmitry Vasiliev (dima at hlabs.spb.ru)
http://hlabs.spb.ru
More information about the Zope3-dev
mailing list