[Zope-Checkins] CVS: Zope/lib/python/AccessControl - PermissionRole.py:1.17.44.1 ZopeGuards.py:1.15.16.1 ZopeSecurityPolicy.py:1.22.2.1 cAccessControl.c:1.19.16.1
Shane Hathaway
shane@zope.com
Mon, 9 Jun 2003 14:43:05 -0400
Update of /cvs-repository/Zope/lib/python/AccessControl
In directory cvs.zope.org:/tmp/cvs-serv26903
Modified Files:
Tag: shane-security-policy-branch
PermissionRole.py ZopeGuards.py ZopeSecurityPolicy.py
cAccessControl.c
Log Message:
Changed the security policy to always raise Unauthorized for denied access.
Previously, the security policy sometimes returned 0 and sometimes
raised Unauthorized, depending on whether the value had been acquired.
If it was acquired, it returned 0. This made it so acquisition
implicitly skipped over things you can't access. I think that
implicit policy isn't needed and makes it hard to debug Zope code.
Returning 0 also makes it difficult to diagnose security denials.
Took the opportunity to stop changing AttributeErrors back into
Unauthorized errors in guarded_getattr. Also fixed the unit tests
to use self.assert instead of assert statements.
=== Zope/lib/python/AccessControl/PermissionRole.py 1.17 => 1.17.44.1 ===
--- Zope/lib/python/AccessControl/PermissionRole.py:1.17 Tue Oct 1 10:09:46 2002
+++ Zope/lib/python/AccessControl/PermissionRole.py Mon Jun 9 14:42:34 2003
@@ -64,7 +64,7 @@
def __init__(self, name, default=('Manager',)):
self.__name__=name
self._p='_'+string.translate(name,name_trans)+"_Permission"
- self._d=default
+ self._d = self.__roles__ = default
def __of__(self, parent, getattr=getattr):
r=imPermissionRole()
=== Zope/lib/python/AccessControl/ZopeGuards.py 1.15 => 1.15.16.1 ===
--- Zope/lib/python/AccessControl/ZopeGuards.py:1.15 Tue Jan 14 10:03:03 2003
+++ Zope/lib/python/AccessControl/ZopeGuards.py Mon Jun 9 14:42:34 2003
@@ -41,6 +41,11 @@
def guarded_getattr(inst, name, default=_marker):
+ """Retrieves an attribute, checking security in the process.
+
+ Raises Unauthorized if the attribute is found but the user is
+ not allowed to access the attribute.
+ """
if name[:1] != '_':
# Try to get the attribute normally so that unusual
# exceptions are caught early.
@@ -55,12 +60,7 @@
validate = getSecurityManager().validate
# Filter out the objects we can't access.
if hasattr(inst, 'aq_acquire'):
- try:
- return inst.aq_acquire(name, aq_validate, validate)
- except AttributeError:
- # A denial of access was converted into an
- # AttributeError. Convert it back.
- raise Unauthorized, name
+ return inst.aq_acquire(name, aq_validate, validate)
# Or just try to get the attribute directly.
if validate(inst, inst, name, v):
return v
=== Zope/lib/python/AccessControl/ZopeSecurityPolicy.py 1.22 => 1.22.2.1 ===
--- Zope/lib/python/AccessControl/ZopeSecurityPolicy.py:1.22 Mon Jun 9 12:26:39 2003
+++ Zope/lib/python/AccessControl/ZopeSecurityPolicy.py Mon Jun 9 14:42:34 2003
@@ -81,19 +81,13 @@
Containers=SimpleObjectPolicies.Containers,
valid_aq_=('aq_parent','aq_inner', 'aq_explicit')):
+ # Note: accessed is not used.
############################################################
# Provide special rules for the acquisition attributes
if type(name) is StringType:
if name.startswith('aq_') and name not in valid_aq_:
- return 0
-
- containerbase = aq_base(container)
- accessedbase = aq_base(accessed)
- if accessedbase is accessed:
- # accessed is not a wrapper, so assume that the
- # value could not have been acquired.
- accessedbase = container
+ raise Unauthorized(name, value)
############################################################
# If roles weren't passed in, we'll try to get them from the object
@@ -111,26 +105,22 @@
# of roles passed in. Presumably, the value is some simple
# object like a string or a list. We'll try to get roles
# from its container.
- if container is None: return 0 # Bail if no container
+ if container is None:
+ # Either container or a list of roles is required
+ # for ZopeSecurityPolicy to know whether access is
+ # allowable.
+ raise Unauthorized(name, value)
roles=getattr(container, '__roles__', _noroles)
if roles is _noroles:
- # Try to acquire __roles__. If it can't be
- # acquired, the value is unprotected. Deny access
- # to acquired unprotected values even if they are
- # in a simple container.
- if containerbase is container:
- # Container is not wrapped.
- roles=_noroles
- if containerbase is not accessedbase:
- return 0
- else:
- # Try to acquire roles
- try: roles = container.aq_acquire('__roles__')
+ # Try to acquire __roles__. If __roles__ can't be
+ # acquired, the value is unprotected and roles is
+ # left set to _noroles.
+ if aq_base(container) is not container:
+ try:
+ roles = container.aq_acquire('__roles__')
except AttributeError:
- roles=_noroles
- if containerbase is not accessedbase:
- return 0
+ pass
# We need to make sure that we are allowed to
# get unprotected attributes from the container. We are
@@ -151,10 +141,7 @@
p=p(name, value)
if not p:
- if (containerbase is accessedbase):
- raise Unauthorized(name, value)
- else:
- return 0
+ raise Unauthorized(name, value)
if roles is _noroles: return 1
@@ -183,9 +170,7 @@
if (owner is not None) and not owner.allowed(value, roles):
# We don't want someone to acquire if they can't
# get an unacquired!
- if accessedbase is containerbase:
- raise Unauthorized(name, value)
- return 0
+ raise Unauthorized(name, value)
# Proxy roles, which are a lot safer now.
proxy_roles=getattr(eo, '_proxy_roles', None)
@@ -194,10 +179,7 @@
if r in roles: return 1
# Proxy roles actually limit access!
- if accessedbase is containerbase:
- raise Unauthorized(name, value)
-
- return 0
+ raise Unauthorized(name, value)
try:
@@ -205,11 +187,8 @@
return 1
except AttributeError: pass
- # We don't want someone to acquire if they can't get an unacquired!
- if accessedbase is containerbase:
- raise Unauthorized(name, value)
+ raise Unauthorized(name, value)
- return 0
def checkPermission(self, permission, object, context):
# XXX proxy roles and executable owner are not checked
=== Zope/lib/python/AccessControl/cAccessControl.c 1.19 => 1.19.16.1 ===
--- Zope/lib/python/AccessControl/cAccessControl.c:1.19 Tue Jan 14 10:03:05 2003
+++ Zope/lib/python/AccessControl/cAccessControl.c Mon Jun 9 14:42:34 2003
@@ -733,7 +733,7 @@
*/
static PyObject *ZopeSecurityPolicy_validate(PyObject *self, PyObject *args) {
- PyObject *accessed = NULL;
+ PyObject *accessed = NULL; /* Note: accessed is not used. */
PyObject *container = NULL;
PyObject *name = NULL;
PyObject *value = NULL;
@@ -742,8 +742,6 @@
/* Import from SimpleObject Policy._noroles */
/* Note that _noroles means missing roles, spelled with a NULL in C.
Jim. */
- PyObject *containerbase = NULL;
- PyObject *accessedbase = NULL;
PyObject *p = NULL;
PyObject *rval = NULL;
PyObject *stack = NULL;
@@ -762,7 +760,7 @@
/*| # Provide special rules for acquisition attributes
**| if type(name) is StringType:
**| if name[:3] == 'aq_' and name not in valid_aq_:
- **| return 0
+ **| raise Unauthorized(name, value)
*/
if (PyString_Check(name)) { /* XXX what about unicode? */
@@ -771,28 +769,15 @@
if (strcmp(sname,"aq_parent") != 0 &&
strcmp(sname,"aq_inner") != 0 &&
strcmp(sname,"aq_explicit") != 0) {
- /* Access control violation, return 0 */
- return PyInt_FromLong(0);
+ /* Access control violation */
+ unauthErr(name, value);
+ return NULL; /* roles is not owned yet */
}
}
}
Py_XINCREF(roles); /* Convert the borrowed ref to a real one */
- /*| containerbase = aq_base(container)
- **| accessedbase = getattr(accessed, 'aq_base', container)
- */
-
- containerbase = aq_base(container);
- if (containerbase == NULL) goto err;
-
- if (aq_isWrapper(accessed))
- accessedbase = aq_base(accessed);
- else {
- Py_INCREF(container);
- accessedbase = container;
- }
-
/*| # If roles weren't passed in, we'll try to get them from
**| # the object
**|
@@ -818,48 +803,33 @@
**| # is some simple object like a string or a list.
**| # We'll try to get roles from it's container
**|
- **| if container is None: return 0 # Bail if no container
+ **| if container is None: raise Unauthorized(name, value)
*/
if (container == Py_None) {
- rval= PyInt_FromLong(0);
+ unauthErr(name, value);
goto err;
}
/*| roles = getattr(container, "__roles__", _noroles)
- **| if roles is _noroles:
- **| aq = getattr(container, 'aq_acquire', None)
- **| if aq is None:
- **| roles = _noroles
- **| if containerbase is not accessedbase: return 0
- **| else:
- **| # Try to acquire roles
- **| try: roles = aq('__roles__')
- **| except AttributeError:
- **| roles = _noroles
- **| if containerbase is not accessedbase: return 0
+ **| if roles is _noroles:
+ **| if aq_base(container) is not container:
+ **| try:
+ **| roles = container.aq_acquire('__roles__')
+ **| except AttributeError:
+ **| pass
*/
roles = PyObject_GetAttr(container, __roles__);
if (roles == NULL) {
PyErr_Clear();
- if (!aq_isWrapper(container)) {
- if (containerbase != accessedbase) {
- rval = PyInt_FromLong(0);
- goto err;
- }
- }
- else {
+ if (aq_isWrapper(container)) {
roles = aq_acquire(container, __roles__);
if (roles == NULL) {
if (PyErr_ExceptionMatches(
PyExc_AttributeError))
{
PyErr_Clear();
- if (containerbase != accessedbase) {
- rval = PyInt_FromLong(0);
- goto err;
- }
}
else
goto err;
@@ -879,7 +849,6 @@
**| "__allow_access_to_unprotected_subobjects__", None)
*/
- /** XXX do we need to incref this stuff? I dont think so */
p = callfunction2(Containers, OBJECT(container->ob_type),
Py_None);
if (p == NULL)
@@ -916,21 +885,13 @@
}
/*| if not p:
- **| if containerbase is accessedbase:
- **| raise Unauthorized, cleanupName(name, value)
- **| else:
- **| return 0
+ **| raise Unauthorized, cleanupName(name, value)
*/
if (p == NULL || ! PyObject_IsTrue(p)) {
- Py_XDECREF(p);
- if (containerbase == accessedbase) {
- unauthErr(name, value);
- goto err;
- } else {
- rval = PyInt_FromLong(0);
- goto err;
- }
+ Py_XDECREF(p);
+ unauthErr(name, value);
+ goto err;
}
else
Py_DECREF(p);
@@ -1014,10 +975,8 @@
**| if (owner is not None) and not owner.allowed(value, roles)
**| # We don't want someone to acquire if they can't
**| # get an unacquired!
- **| if accessedbase is containerbase:
- **| raise Unauthorized, ('You are not authorized to'
- **| 'access <em>%s</em>.' % cleanupName(name, value))
- **| return 0
+ **| raise Unauthorized, ('You are not authorized to'
+ **| 'access <em>%s</em>.' % cleanupName(name, value))
*/
eo = PySequence_GetItem(stack, -1);
@@ -1047,10 +1006,7 @@
{
Py_DECREF(owner);
Py_DECREF(eo);
- if (accessedbase == containerbase) {
- unauthErr(name, value);
- }
- else rval = PyInt_FromLong(0);
+ unauthErr(name, value);
goto err;
}
}
@@ -1065,11 +1021,8 @@
**| if r in roles: return 1
**|
**| # proxy roles actually limit access!
- **| if accessedbase is containerbase:
- **| raise Unauthorized, ('You are not authorized to access'
- **| '<em>%s</em>.' % cleanupName(name, value))
- **|
- **| return 0
+ **| raise Unauthorized, ('You are not authorized to access'
+ **| '<em>%s</em>.' % cleanupName(name, value))
*/
proxy_roles = PyObject_GetAttr(eo, _proxy_roles_str);
Py_DECREF(eo);
@@ -1111,12 +1064,9 @@
Py_DECREF(proxy_roles);
if (contains > 0)
- rval = PyInt_FromLong(contains);
+ rval = PyInt_FromLong(1);
else if (contains == 0) {
- if (accessedbase == containerbase) {
- unauthErr(name, value);
- }
- else rval = PyInt_FromLong(contains);
+ unauthErr(name, value);
}
goto err;
}
@@ -1152,25 +1102,15 @@
}
} /* End of authentiction skip for public only access */
- /*| # we don't want someone to acquire if they can't get an
- **| # unacquired!
- **| if accessedbase is containerbase:
- **| raise Unauthorizied, ("You are not authorized to access"
+ /*| raise Unauthorizied, ("You are not authorized to access"
**| "<em>%s</em>." % cleanupName(name, value))
- **| return 0
*/
-
- if (accessedbase == containerbase)
- unauthErr(name, value);
- else
- rval = PyInt_FromLong(0);
+ unauthErr(name, value);
err:
Py_XDECREF(stack);
Py_XDECREF(roles);
- Py_XDECREF(containerbase);
- Py_XDECREF(accessedbase);
return rval;
}
@@ -2011,24 +1951,12 @@
/*
# Filter out the objects we can't access.
if hasattr(inst, 'aq_acquire'):
- try:
- return inst.aq_acquire(name, aq_validate, validate)
- except AttributeError:
- # A denial of access was converted into an
- # AttributeError. Convert it back.
- raise Unauthorized, name
+ return inst.aq_acquire(name, aq_validate, validate)
*/
if (aq_isWrapper(inst))
{
- t = aq_Acquire(inst, name, aq_validate, validate, 1, NULL, 0);
- if (t == NULL && PyErr_Occurred() == PyExc_AttributeError)
- {
- PyErr_Clear();
- unauthErr(name, v);
- goto err;
- }
Py_DECREF(v);
- return t;
+ return aq_Acquire(inst, name, aq_validate, validate, 1, NULL, 0);
}
/*