Basic Security question
I thought I understood permissions and roles, but... I have a folder ('Data') with the 'View' security role set to 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'. When, as an 'anonymous' user, I try to access an object within the 'Data' folder the security popup window (enter your name/password) is displayed. This works as I expected it to. I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder? Any and all help appreciated! Jonathan
Not sure, but note that proxy roles are not passed on to scripts invoked by Display. Only Display itself will have the proxy role. Stefan On Donnerstag, Mai 27, 2004, at 17:09 Europe/Vienna, Jonathan Hobbs wrote:
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder? -- The time has come to start talking about whether the emperor is as well dressed as we are supposed to think he is. /Pete McBreen/
Thanks for the response Stefan...
Not sure, but note that proxy roles are not passed on to scripts invoked by Display. Only Display itself will have the proxy role.
The 'Display' dtml method (which has the 'Authenticated' proxy role) is trying to access an object in the 'Data' folder (folder has 'View' permission set to 'Authenticated' only). The object in the 'Data' folder is not a script, but an image file I would like the 'Display' method to display. Thanks, Jonathan
On Donnerstag, Mai 27, 2004, at 17:09 Europe/Vienna, Jonathan Hobbs wrote:
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder?
Jonathan Hobbs wrote at 2004-5-27 11:09 -0400:
I thought I understood permissions and roles, but...
I have a folder ('Data') with the 'View' security role set to 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
When, as an 'anonymous' user, I try to access an object within the 'Data' folder the security popup window (enter your name/password) is displayed. This works as I expected it to.
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder?
What is the owner of this "DMTL Method"? It can at most do what its owner is allowed to do. BTW, "VerboseSecurity" can help you to analyse difficult security problems. Use the CVS version (once Zope's CVS starts to work again). -- Dieter
Thanks for the response Dieter...
Jonathan Hobbs wrote at 2004-5-27 11:09 -0400:
I thought I understood permissions and roles, but...
I have a folder ('Data') with the 'View' security role set to 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
When, as an 'anonymous' user, I try to access an object within the 'Data' folder the security popup window (enter your name/password) is displayed. This works as I expected it to.
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder?
What is the owner of this "DMTL Method"? It can at most do what its owner is allowed to do.
The dtml method ('Display') is owned by 'admin' (from acl_users). The folder ('Data') is also owned by 'admin'. I have already tried to set the Proxy role of the dtml method to 'Owner' and the 'View' permission setting of the folder to 'Owner', with no luck (still get the security popup window).
BTW, "VerboseSecurity" can help you to analyse difficult security problems. Use the CVS version (once Zope's CVS starts to work again).
We are running Zope 2.6.1, so I will try the VerboseSecurity product - thanks for the tip! Jonathan
Jonathan Hobbs wrote at 2004-5-27 11:09 -0400:
I have a folder ('Data') with the 'View' security role set to 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
When, as an 'anonymous' user, I try to access an object within the 'Data' folder the security popup window (enter your name/password) is displayed. This works as I expected it to.
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder?
BTW, "VerboseSecurity" can help you to analyse difficult security problems. Use the CVS version (once Zope's CVS starts to work again).
I have installed VerboseSecurity (it shows up in the Control_Panel/Products list), but it does not generate any output in the zope_error_log (the requests are showing up in zope_access_log). Does VerboseSecurity put the security info somewhere else? We are running 2.6.1 if this has any bearing. Jonathan
Jonathan Hobbs wrote at 2004-5-27 15:05 -0400:
... I have installed VerboseSecurity (it shows up in the Control_Panel/Products list), but it does not generate any output in the zope_error_log (the requests are showing up in zope_access_log). Does VerboseSecurity put the security info somewhere else?
And you did follow the instructions? * Use ZOPE_SECURITY_POLICY=PYTHON * tell "error_log" not to ignore "Unauthorized" -- Dieter
Jonathan Hobbs wrote at 2004-5-27 15:05 -0400:
... I have installed VerboseSecurity (it shows up in the Control_Panel/Products list), but it does not generate any output in the zope_error_log (the requests are showing up in zope_access_log). Does VerboseSecurity put the security info somewhere else?
And you did follow the instructions?
* Use ZOPE_SECURITY_POLICY=PYTHON
Yes (ZOPE_SECURITY_POLICY=PYTHON) I have installed VerboseSecurity and when I try to access my data folder (the one with 'View' permission set to 'Authenticated') I get the following zope error: Error Type: TypeError Error Value: issubclass() arg 2 must be a class Error Traceback: Traceback (innermost last): Module ZPublisher.Publish, line 98, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 39, in call_object Module Shared.DC.Scripts.Bindings, line 252, in __call__ Module Shared.DC.Scripts.Bindings, line 283, in _bindAndExec Module App.special_dtml, line 174, in _exec Module OFS.ObjectManager, line 222, in filtered_meta_types Module AccessControl.User, line 266, in has_permission Module AccessControl.SecurityManager, line 139, in checkPermission Module Products.VerboseSecurity.VerboseSecurityPolicy, line 277, in checkPermission Module AccessControl.PermissionRole, line 51, in rolesForPermissionOn Module Products.VerboseSecurity.PermissionRolePatch, line 55, in __of__ TypeError: issubclass() arg 2 must be a class Which is strange because I am trying to access the folder via the ZMI and I my user account is the 'Manager' account (also the 'owner' that created the data folder). I am running zope 2.6.1, python 2.1.3
* tell "error_log" not to ignore "Unauthorized"
How does one go about doing that? I found no hints in SiteErrorLog.py. Thanks, Jonathan
Small Business Services wrote:
Jonathan Hobbs wrote at 2004-5-27 15:05 -0400:
... I have installed VerboseSecurity (it shows up in the
Control_Panel/Products
list), but it does not generate any output in the zope_error_log (the requests are showing up in zope_access_log). Does VerboseSecurity put
the
security info somewhere else?
And you did follow the instructions?
* Use ZOPE_SECURITY_POLICY=PYTHON
Yes (ZOPE_SECURITY_POLICY=PYTHON)
I have installed VerboseSecurity and when I try to access my data folder (the one with 'View' permission set to 'Authenticated') I get the following zope error:
Error Type: TypeError Error Value: issubclass() arg 2 must be a class Error Traceback:
Traceback (innermost last):
Module ZPublisher.Publish, line 98, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 39, in call_object Module Shared.DC.Scripts.Bindings, line 252, in __call__ Module Shared.DC.Scripts.Bindings, line 283, in _bindAndExec Module App.special_dtml, line 174, in _exec Module OFS.ObjectManager, line 222, in filtered_meta_types Module AccessControl.User, line 266, in has_permission Module AccessControl.SecurityManager, line 139, in checkPermission Module Products.VerboseSecurity.VerboseSecurityPolicy, line 277, in checkPermission Module AccessControl.PermissionRole, line 51, in rolesForPermissionOn Module Products.VerboseSecurity.PermissionRolePatch, line 55, in __of__ TypeError: issubclass() arg 2 must be a class
Which is strange because I am trying to access the folder via the ZMI and I my user account is the 'Manager' account (also the 'owner' that created the data folder).
I am running zope 2.6.1, python 2.1.3
* tell "error_log" not to ignore "Unauthorized"
How does one go about doing that? I found no hints in SiteErrorLog.py.
in your site there is an object with id "error_log" there you can edit the list of errors to suppress. Robert
Thanks,
Jonathan
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
From: "Small Business Services" <toolkit@magma.ca>
I have installed VerboseSecurity and when I try to access my data folder (the one with 'View' permission set to 'Authenticated') I get the following zope error:
Error Type: TypeError Error Value: issubclass() arg 2 must be a class
Running VerboseSecurity under zope 2.6.1, python 2.1.3 requires the following change in PermissionRolePatch.py: Change: if issubclass(t, StringType) or issubclass(t, UnicodeType): To: if isinstance(t, StringType) or isinstance(t, UnicodeType): I don't know if this is a good/bad fix but at least VerboseSecurity works.
My objective is to serve up an image to the client (browser). I have created a python script with the following code: (I have also tried dtml and an external method) request = context.REQUEST RESPONSE = request.RESPONSE isrc = context.restrictedTraverse('Slides/1076436332') RESPONSE.setHeader('Content-type', 'image/jpeg') RESPONSE.setHeader('Content-length', len(str(isrc)) ) RESPONSE.setHeader('Accept-ranges', 'bytes') RESPONSE.setHeader('Last-modified', str(DateTime() ) RESPONSE.write(osrc) RESPONSE.flush() return The HTTP headers I get as a result of this script are: Status: HTTP/1.1 200 OK Date: Wed, 02 Jun 2004 17:14:14 GMT Server: Apache/2.0.40 (Red Hat Linux) X-Powered-By: Zope (www.zope.org), Python (www.python.org) Accept-Ranges: bytes Content-Length: 0 Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT Connection: close Content-Type: image/jpeg Does anyone have any idea why the Content-Length and Last-Modified date are being reset? (I think the content-length of 0 is the reason this script is not working - it just displays a broken image icon in the browser window). All ideas appreciated! Jonathan
On Wed, Jun 02, 2004 at 01:19:33PM -0400, Small Business Services wrote:
My objective is to serve up an image to the client (browser).
I have created a python script with the following code: (I have also tried dtml and an external method)
request = context.REQUEST RESPONSE = request.RESPONSE
isrc = context.restrictedTraverse('Slides/1076436332')
Presumably this is an Image instance?
RESPONSE.setHeader('Content-type', 'image/jpeg') RESPONSE.setHeader('Content-length', len(str(isrc)) ) RESPONSE.setHeader('Accept-ranges', 'bytes') RESPONSE.setHeader('Last-modified', str(DateTime() ) RESPONSE.write(osrc) ^^^^ RESPONSE.flush()
What is osrc? It's not mentioned elsewhere in this code. I have to wonder why you are doing this, instead of just calling the object's index_html method, e.g.: return isrc.index_html(request, RESPONSE) -- Paul Winkler http://www.slinkp.com
Sorry about the type (osrc should be isrc). The rationale for this somewhat convoluted approach to displaying images is that the images are in a folder with 'View' permission set to 'Authenticated'. However, in certain conditions I want to allow anonymous users access to some of the images in the folder. Therefore I am using a script/method with proxy set to 'Authenticated' to serve up these images to the public. ----- Original Message ----- From: "Paul Winkler" <pw_lists@slinkp.com> To: <zope@zope.org> Sent: June 2, 2004 1:38 PM Subject: Re: [Zope] Serving up and Image
On Wed, Jun 02, 2004 at 01:19:33PM -0400, Small Business Services wrote:
My objective is to serve up an image to the client (browser).
I have created a python script with the following code: (I have also tried dtml and an external method)
request = context.REQUEST RESPONSE = request.RESPONSE
isrc = context.restrictedTraverse('Slides/1076436332')
Presumably this is an Image instance?
RESPONSE.setHeader('Content-type', 'image/jpeg') RESPONSE.setHeader('Content-length', len(str(isrc)) ) RESPONSE.setHeader('Accept-ranges', 'bytes') RESPONSE.setHeader('Last-modified', str(DateTime() ) RESPONSE.write(osrc) ^^^^ RESPONSE.flush()
What is osrc? It's not mentioned elsewhere in this code.
I have to wonder why you are doing this, instead of just calling the object's index_html method, e.g.:
return isrc.index_html(request, RESPONSE)
--
Paul Winkler http://www.slinkp.com
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On Wed, Jun 02, 2004 at 01:19:33PM -0400, Small Business Services wrote:
My objective is to serve up an image to the client (browser).
I have created a python script with the following code: (I have also tried dtml and an external method)
request = context.REQUEST RESPONSE = request.RESPONSE
isrc = context.restrictedTraverse('Slides/1076436332')
Presumably this is an Image instance?
Yes
RESPONSE.setHeader('Content-type', 'image/jpeg') RESPONSE.setHeader('Content-length', len(str(isrc)) ) RESPONSE.setHeader('Accept-ranges', 'bytes') RESPONSE.setHeader('Last-modified', str(DateTime() ) RESPONSE.write(isrc) RESPONSE.flush()
After some investigation it turns out the server was closing the connection before all the data was written. The solution was: RESPONSE.write(str(isrc)) Which created an http-friendly data stream (apparently something in the jpg data stream caused the problem).
On Wed, Jun 02, 2004 at 04:22:04PM -0400, Small Business Services wrote:
After some investigation it turns out the server was closing the connection before all the data was written. The solution was:
RESPONSE.write(str(isrc))
Which created an http-friendly data stream (apparently something in the jpg data stream caused the problem).
or maybe RESPONSE.write(isrc) was implicitly doing repr(isrc) instead of str(isrc). not sure. In any case, I'd again suggest calling isrc.index_html(request, RESPONSE). It scales much better to large images. Your method will read the entire image data into memory as a string and not return anything to the client until it is done. Image.index_html() will stream the data in chunks as they are loaded from the ZODB. This uses less memory and is faster. -- Paul Winkler http://www.slinkp.com
From: "Paul Winkler" <pw_lists@slinkp.com>
On Wed, Jun 02, 2004 at 04:22:04PM -0400, Small Business Services wrote:
After some investigation it turns out the server was closing the connection before all the data was written. The solution was:
RESPONSE.write(str(isrc))
Which created an http-friendly data stream (apparently something in the jpg data stream caused the problem).
or maybe RESPONSE.write(isrc) was implicitly doing repr(isrc) instead of str(isrc). not sure.
In any case, I'd again suggest calling isrc.index_html(request, RESPONSE). It scales much better to large images.
Your method will read the entire image data into memory as a string and not return anything to the client until it is done. Image.index_html() will stream the data in chunks as they are loaded from the ZODB. This uses less memory and is faster.
Thanks for the feedback Paul, I'd like to try your isrc.index_html() idea, what should index_html (script/method?) contain? (I assume its not the standard index_html dtml method that is the initial 'public' page for our web site - which has been modified extensively for our particular application). Jonathan
On Thu, Jun 03, 2004 at 07:43:33AM -0400, Small Business Services wrote:
From: "Paul Winkler" <pw_lists@slinkp.com>
In any case, I'd again suggest calling isrc.index_html(request, RESPONSE). It scales much better to large images.
Your method will read the entire image data into memory as a string and not return anything to the client until it is done. Image.index_html() will stream the data in chunks as they are loaded from the ZODB. This uses less memory and is faster.
Thanks for the feedback Paul,
I'd like to try your isrc.index_html() idea, what should index_html (script/method?) contain?
It already exists. index_html is a method provided by the Image class. It is defined in lib/python/OFS/Image.py. -- Paul Winkler http://www.slinkp.com
Small Business Services wrote:
Running VerboseSecurity under zope 2.6.1, python 2.1.3 requires the following change in PermissionRolePatch.py:
Change: if issubclass(t, StringType) or issubclass(t, UnicodeType): To: if isinstance(t, StringType) or isinstance(t, UnicodeType):
I don't know if this is a good/bad fix but at least VerboseSecurity works.
I don't remember needing this for VerboseSecurity in 2.6.1 :-S Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
On Thu, 27 May 2004 11:09:46 -0400 GMT Jonathan Hobbs asked the Zope mailinglist about the following:
I thought I understood permissions and roles, but...
I have a folder ('Data') with the 'View' security role set to 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
When, as an 'anonymous' user, I try to access an object within the 'Data' folder the security popup window (enter your name/password) is displayed. This works as I expected it to.
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder?
Is the 'Display'-method incidentally also located inside the Data folder? If that is the case, anon is still not allowed to access it, and proxy /no proxy will not matter. -- __________________________________________________________________ Geir Bækholt · Interaction Architect · Plone Solutions Development · Training · Support · http://www.plonesolutions.com __________________________________________________________________
From: "Geir Bækholt" <lists@elvix.com>
On Thu, 27 May 2004 11:09:46 -0400 GMT Jonathan Hobbs asked the Zope mailinglist about the following:
I thought I understood permissions and roles, but...
I have a folder ('Data') with the 'View' security role set to 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
When, as an 'anonymous' user, I try to access an object within the 'Data' folder the security popup window (enter your name/password) is displayed. This works as I expected it to.
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder?
Is the 'Display'-method incidentally also located inside the Data folder? If that is the case, anon is still not allowed to access it, and proxy /no proxy will not matter.
No, the 'Display' dtml method and the 'Data' folder are both objects in the same, higher level folder ie. Folder A | |-- Display method |-- Data folder | |-- image file where 'image file' is the object that 'Display' method is trying to access.
For the archives... I was trying to set a proxy role on a dtml method to 'Authenticated' to enable it to access image files in a subfolder which had its 'View' permission set to authenticated. eg. Folder A | |-- Display method (proxy=authenticated) |-- Data folder (view=authenticated) | |-- image file I kept getting security access errors with this arrangement. The reason was that the Display method used the html tag <img src="DataFolder/imagefile">. The proxy role authenticated the Display method (as expected), but the html <img> tag actually causes a second http request to access the 'src' file, and this second http request is not authenticated, thereby causing the security access error. ----- Original Message ----- From: "Jonathan Hobbs" <hobbs@magma.ca> To: "Geir Bækholt" <lists@elvix.com> Cc: "Zope mailinglist" <zope@zope.org> Sent: May 27, 2004 4:15 PM Subject: Re: [Zope] Basic Security question
From: "Geir Bækholt" <lists@elvix.com>
On Thu, 27 May 2004 11:09:46 -0400 GMT Jonathan Hobbs asked the Zope mailinglist about the following:
I thought I understood permissions and roles, but...
I have a folder ('Data') with the 'View' security role set to 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
When, as an 'anonymous' user, I try to access an object within the 'Data' folder the security popup window (enter your name/password) is displayed. This works as I expected it to.
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder?
Is the 'Display'-method incidentally also located inside the Data folder? If that is the case, anon is still not allowed to access it, and proxy /no proxy will not matter.
No, the 'Display' dtml method and the 'Data' folder are both objects in the same, higher level folder
ie.
Folder A | |-- Display method |-- Data folder | |-- image file
where 'image file' is the object that 'Display' method is trying to access.
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (8)
-
Chris Withers -
Dieter Maurer -
Geir B�kholt -
Jonathan Hobbs -
Paul Winkler -
robert rottermann -
Small Business Services -
Stefan H. Holek