Security exception after going from 2.6.2 -> 2.7.3
Hi all I kinda fear that this is a FAQ, but Google hasn't helped. We have some code that worked fine under Zope 2.6.2, but is raising an exception now: Unauthorized: The container has no security assertions. Access to None of IISet([-994264300, -570961636, -570961635, -164488020, -25364235]) denied. This is the edited traceback:: * Module Products.PageTemplates.ZRPythonExpr, line 47, in __call__ __traceback_info__: here.reservedcustomernumberrange_listing_items() * Module Python expression "here.reservedcustomernumberrange_listing_items()", line 1, in <expression> [...] * Module None, line 13, in reservedcustomernumberrange_listing_items <FSPythonScript at /creme/reservedcustomernumberrange_listing_items used for /creme/Setup/ReservedCustomerNumbers> Line 13 * Module AccessControl.ZopeGuards, line 211, in next * Module AccessControl.ZopeGuards, line 224, in guard * Module Products.VerboseSecurity.VerboseSecurityPolicy, line 157, in validate The code that raises the exception is:: rids = context.QueryService(meta_type='ReservedCustomerNumberRange') result = [context.Catalog.getobject(rid) for rid in rids] # Exception! As is apparent from the traceback, QueryService returns an IISet:: from BTrees.IIBTree import IISet [...] result = IISet() [etc] Any pointers please? -- Jean Jordaan http://www.upfrontsystems.co.za
On Mar 4, 2005, at 13:35, Jean Jordaan wrote:
Hi all
I kinda fear that this is a FAQ, but Google hasn't helped. We have some code that worked fine under Zope 2.6.2, but is raising an exception now:
Unauthorized: The container has no security assertions. Access to None of IISet([-994264300, -570961636, -570961635, -164488020, -25364235]) denied.
My suggestion would be to try out the current Zope-2_7-branch from CVS to see if it fixes the problem. Tres and Jim just recently relaxed some overeager security checks in there. The changes will become part of 2.7.5 when it is released. Out of curiosity, why did you choose 2.7.3 when 2.7.4 is the released stable version? jens
Hi Jens Thanks! I've just googled http://www.gossamer-threads.com/lists/engine?do=post_view;post=179880;list=z... which offers the same advice.
Out of curiosity, why did you choose 2.7.3 when 2.7.4 is the released stable version?
Pure inertia. When we upgraded from 2.6.2, the stable version was 2.7.3 .. -- Jean Jordaan http://www.upfrontsystems.co.za
By the way, moving the offending code:
rids = context.QueryService(meta_type='ReservedCustomerNumberRange') result = [context.Catalog.getobject(rid) for rid in rids] # Exception!
from a Python Script to a class method fixes the problem for now. I'm moving to 2.7.4 now. -- Jean Jordaan http://www.upfrontsystems.co.za
Hmf, neither 2.7.5b1 nor zope.org/Zope.Zope-2_7-branch cures the IISet hassle. The traceback is the same as in my original posting. Looks like I need to move that code out of restricted python. Elsewhere I also see this: Unauthorized: Your user account, jean, is defined outside the context of the object being accessed. Access to 'id' of (Reseller instance at 414925c0) denied. Access requires one of the following roles: ['Administrator', 'Manager', 'Supporter']. The fix for that is to s/id/getId()/ .. why is accessing id directly failing? I've read here and there that getId is wrong, but this code comes from before I knew about that .. -- Jean Jordaan http://www.upfrontsystems.co.za
On Mar 7, 2005, at 15:36, Jean Jordaan wrote:
The fix for that is to s/id/getId()/ .. why is accessing id directly failing? I've read here and there that getId is wrong, but this code comes from before I knew about that ..
getId is *the canonical way* to get an object's ID and is recommended over using anything else. jens
Jean Jordaan wrote at 2005-3-7 16:36 +0200:
Hmf, neither 2.7.5b1 nor zope.org/Zope.Zope-2_7-branch cures the IISet hassle. The traceback is the same as in my original posting.
Looks like I need to move that code out of restricted python.
Elsewhere I also see this:
Unauthorized: Your user account, jean, is defined outside the context of the object being accessed. Access to 'id' of (Reseller instance at 414925c0) denied. Access requires one of the following roles: ['Administrator', 'Manager', 'Supporter'].
The fix for that is to s/id/getId()/
I hope, this does not work (it should not!). "s/id" may be unauthorized (because it is protected by the "ObjectPermission") while "s/getId" may be authorized (because it "getId" can carry its own permission -- different from the "ObjectPermission). But it "s/id" is unauthorized, then "s/id/getId" should be as well (and "s/id/getId()" should be a syntax error -- be more careful in the future!). -- Dieter
Hi Dieter
The fix for that is to s/id/getId()/
I hope, this does not work (it should not!).
Sorry, I was being cryptic: I meant s/id/getId()/ as in a substitute command in Vim or sed, not as in a path expression! -- Jean Jordaan http://www.upfrontsystems.co.za
participants (3)
-
Dieter Maurer -
Jean Jordaan -
Jens Vagelpohl