[ZCM] [ZC] 2072/ 1 Request "BoboTraverse Security too restrictive"
Collector: Zope Bugs, Features,
and Patches ...
zope-coders-admin at zope.org
Tue Apr 18 11:27:54 EDT 2006
Issue #2072 Update (Request) "BoboTraverse Security too restrictive"
Status Pending, Zope/bug+solution critical
To followup, visit:
http://www.zope.org/Collectors/Zope/2072
==============================================================
= Request - Entry #1 by alecm on Apr 18, 2006 11:27 am
Uploaded: "bobo_traverse_security.diff"
- http://www.zope.org/Collectors/Zope/2072/bobo_traverse_security.diff/view
It seems that the way OFS.Traversable.restrictedTraverse() handles security checking on objects with __bobo_traverse__ methods is considerably different from the way it normally checks security. The result is that traversal cannot obtain attributes using acquisition from objects that are marked <five:traversable>. In the normal case,security is checked using guarded_getattr, which gets an attribute and checks the permissions on the retrieved object in its original context. For __bobo_traverse__ methods which return non-acquisition wrapped objects (strings, methods), it is impossible to determine the container from which the returned attribute originates. If the attribute was obtained through acquisition an Unauthorized error will always be raised.
Objects that are Five Traversable always have __bobo_traverse__ methods which attempt to mimic normal traversal, which effectively means that the security checks end up preventing acquisition of properties using traversal from ever working on these objects (say using a TAL path expression 'context/attribute' which would normally be acquired). Unfortunately, because Five has no control over the security checks done during traversal, this cannot be fixed directly in Five. Fixing this only makes sense for Zope itself, provided there aren't any undesirable consequences. I propose that if the validation of a __bobo_traverse result raises Unauthorized, that we make one last check to see if the result of 'guarded_getattr(obj, name)' is identical to the result of the __bobo_traverse__ call and allow it if that's the case. I've attached a patch against 2.9 trunk with tests.
==============================================================
More information about the Zope-Collector-Monitor
mailing list