[Zope-dev] Bugs in new Security Stuff :P (part 2)

Chris Withers chrisw@nipltd.com
Tue, 22 Aug 2000 11:00:28 +0100


Okay, next up, if it's a security error, it should throw a security
error! :(

Squishdot Posting's can have file attachments. 

class Posting(Persistent, Implicit,RoleManager):     

    ...

    # protected by 'View' permission
    def attachment(self):     
        file=self.file
        return file and (file,) or None     

    ...

These are stored as attributes in a totally un-security aware class:

class Squishfile(Acquirer,Persistent):

    def file_name(self):  
        return self._name  

    ...

posting_html is a DTML method and, in 2.2, fails is this bit (which used
to work! ;-):

<dtml-if attachment>  
<dtml-in attachment>  
<A HREF="./<dtml-var file_name url_quote>">  
<IMG SRC="<dtml-var SCRIPT_NAME >/<dtml-var icon>" HEIGHT="16  
 WIDTH="16" BORDER="0" ALT="Click to download attachment"></A>    
<A HREF="./<dtml-var file_name url_quote>"><dtml-var file_name></A>   
<dtml-var file_kbytes>KB (<dtml-var file_bytes> bytes)<BR>  
</dtml-in attachment><BR>  
</dtml-if attachment>  

However, the error is rather strange:

Error Type: KeyError
Error Value: file_name
(traceback in PS)

This, believe it or not, is actually a security error, since I can make
it go away by mixing RoleManager into Squishfile and adding
__allow_access_to_unprotected_subobjects__=1 to the class.

Why do I get this, which I presume is due to file_name not being
available in the stacked namespaces, rather than a security dialog box?

confusedly,

Chris

PS: The above code works fine in the management interface, without any
changes to Squishfile, which was the subejct fo my previous post.