[Zope-CMF] declarative security bug?
Jens Vagelpohl
jens@digicool.com
Tue, 24 Jul 2001 15:29:19 -0400
seb,
it's actually not a bug but intended behavior which we might re-think
since quite a few people stumble over it and its side effects.
basically, if a method is declared "public" then the security machinery is
circumvented (saving processing) and the user as it appears to the
security machinery becomes "Anonymous" while this public method is running.
this is not a security bug or risk, it was put in to speed up processing
for things that can be accessed by everyone, anyway.
if you rely in knowing the logged-in user in your public method you can
trick the system into doing security the normal way by protecting the
method with a permission that everyone including Anonymous users normally
have, like "View".
so instead of
declarePublic( 'mymethod' )
you would say
declareProtected( 'View', 'mymethod' )
jens
On Tuesday, July 24, 2001, at 03:43 , seb bacon wrote:
> Hi,
>
> I think I've found a security bug, but it might be something unique to
> my setup. However, I'm in a real mad dash this week so I haven't time
> to check it in a vanilla install.
>
> Why does this print "Manager"
>
> security.declareProtected(AddPortalContent, 'parper')
> def parper(self):
> 'parp'
> print self.portal_membership.getAuthenticatedMember()
>
> But this prints "Anonymous User"
>
> security.declarePublic('parper')
> def parper(self):
> 'parp'
> print self.portal_membership.getAuthenticatedMember()
>
> ?
>
> This is in a specialised Folder which subclasses PortalFolder, using
> Zope 2.3.2 and CMF 1.1.
>
> seb
>
> _______________________________________________
> Zope-CMF maillist - Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
>
> See http://www.zope.org/Products/PTK/Tracker for bug reports and feature
> requests