[Zope-dev] 2.7.3 beta attribute permission problems
Santi Camps
scamps at earcon.com
Mon Oct 18 06:37:02 EDT 2004
Hi all,
I've instal·led Zope 2.7.3b2 (python 2.3.4, gnu/linux box) to test my
products and at the first moment I've found a terrible problem for me.
My applications began to raise "Unauthorized: The container has no
security assertions" errors everywhere. I've been looking for in google
and found this thread:
http://www.mail-archive.com/zope-dev%40zope.org/msg17218.html
Really the problem seems to be exactly the same. A simple example:
I have a persistent object A and a non persistent object B. B has
implicit acquisition. From trusted code I return B.__of__(A). Trying
to access B.meta_type from untrusted code (a ZPT) raises the error. B
has no attribute meta_type, so it should be returned from A using
implicit acquisition. A has all necessary security assertions.
All this has been working fine from Zope 2.7.0 to 2.7.2. The problem
appears the first time in Zope 2.7.3 beta. As Richard Jones says, the
problem seems to be a little change in AccessControl/ImplPython.py:
554,557d553
< # Filter out the objects we can't access.
< if hasattr(inst, 'aq_acquire'):
< return inst.aq_acquire(name, aq_validate, validate)
< # Or just try to get the attribute directly.
and I think also in cAccessControl.c:
2112,2123d2113
< # Filter out the objects we can't access.
< if hasattr(inst, 'aq_acquire'):
< return inst.aq_acquire(name, aq_validate, validate)
< */
< if (aq_isWrapper(inst))
< {
< Py_DECREF(v);
< return aq_Acquire(inst, name, aq_validate, validate, 1,
NULL, 0);
< }
<
< /*
< # Or just try to get the attribute directly.
Thanks in advance
Santi Camps
http://www.earcon.com
More information about the Zope-Dev
mailing list