Chris, Thanks for the advice but something doesn't scope: The '__allow_access_to_unprotected_subobjects__ = 1' hack doesn't work in this case for some reason. That was one of the things I'd tried before sending the post. The other case does work in this instance but there is, to my mind, something still not ringing true. For example, using the ZPT stuff, if you put here/title as an output variable (similar to <dtml-var title>), you get the same unauthorized traceback as stated below. This means that the object doesn't have access to it's own properties, surely not! I'm not saying that there is a security hole in Zope, quite the opposite. Access is being denied to things that the current user should have access to. This has meant that I'm having to loosen security on some of my 'bits' to allow the user to see things correctly. This only started happening with 2.3.x (and maybe some of the betas). Zope 2.2.x did not to seem to have this problem. I've seen spurious mention of similar things over the last few months from other Zope users as well, but then I do feel slightly paranoid at the moment, maybe I'm just looking at the world through shitty colored glasses 8¬(. I will try and dredge some of these things up, either to fuel the fire or put it out. ;) If the above case doesn't cover it I'm going to have to find another test case, even if it's just to prove to myself that there is nothing wrong. ;) Thanks for the help. Phil ----- Original Message ----- From: "Chris McDonough" <chrism@digicool.com> To: "Phil Harris" <phil.harris@zope.co.uk>; <zope@zope.org> Sent: Wednesday, May 09, 2001 3:41 PM Subject: Re: [Zope] Security Problems?
Hi Phil,
Defining classes in external methods is... an interesting experience. I don't recommend it. It gets tricky because the file that external methods are defined in isn't actually a Python module, so interpreting the behavior is hard.
That said, the security chapter of the developer's guide goes in to this a little (http://www.zope.org/Documentation/ZDG/Security.dtml). The problem is that the instances you're putting in the array don't have any security declarations, therefore access to them is denied (raising the unauthorized). The fix for this is to add security declarations to the class, e.g (untested):
from AccessControl import ClassSecurityInfo from Globals import InitializeClass
class c: security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def __init__(self,a): self.score=a self.test=a*a
def t(self): retval=[] for a in range(1,10): inst = c(a) if not hasattr( InitializeClass(c) # its dumb to do this every time. retval.append(c(a)) return retval
If this doesn't work for some reason (setDefaultAccess was broken in at least one Zope release), try to define the class c like so:
class c: __allow_access_to_unprotected_subobjects__ = 1 def __init__(self,a): self.score=a self.test=a*a
----- Original Message ----- From: Phil Harris To: zope@zope.org Sent: Wednesday, May 09, 2001 10:08 AM Subject: [Zope] Security Problems?
All,
I've got a sneaking suspicion that there are some security problems in Zope 2.3.x.
I've been trying to make a simple testcase and would like other (better) minds than mine to look at it.
I have an external method which looks like:
class c: def __init__(self,a): self.score=a self.test=a*a
def t(self): retval=[] for a in range(1,10): retval.append(c(a)) return retval
The class 'c' is a very simple class, it has no methods and only two attributes/properties 'score' and 'test'.
The external method 't' is also very simple, it just returns an array of class 'c'.
The dtml-method I'm using to access this array is as follows:
<dtml-var standard_html_header> <dtml-in t> <dtml-var "_['sequence-item'].score"> </dtml-in> <dtml-var standard_html_footer>
Nothing earth shattering there either.
BUT, I get an unauthorized error raised with this traceback whenever I run this dtml-method:
(note that a authentication login box is presented but NO user name is able to authenticate)
Traceback (innermost last): File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in publish_module File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in renderwob (Object: t) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in eval (Object: _['sequence-item'].score) (Info: _) File <string>, line 0, in ? File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate (Object: index_html) File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in validate File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in validate Unauthorized: score
All of this is run on a bog standard install of Zope 2.3.2 with no other products installed, no security changes done, REALLY bog standard.
Anyone got any ideas?
Cos this is doin my f'in ed in man?!?!?!?!?!?
Phil phil.harris@zope.co.uk
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )