[Zope-dev] Re: 2.7.3 beta attribute permission problems

Santi Camps scamps at earcon.com
Wed Oct 20 01:18:59 EDT 2004 

En/na Tres Seaver ha escrit:

> Dieter Maurer wrote:
>
>> Santi Camps wrote at 2004-10-19 15:05 +0200:
>>
>>> ...
>>> Error Type: Unauthorized*
>>> *Error Value: The container has no security assertions. Access to 
>>> 'get_sum_of_values' of (Adapter instance at 40ae6ac0) denied.*
>>
>>
>>
>> This tells you that the container containing "get_sum_of_values"
>> does not have security assertions. Is this wrong?
>
>
> The container (the class Test.Test in Santi'a product) does have 
> security assertions for *itself*:
>
> class Test(OrderedFolder):
>     """
>     Test
>     """
>
>     meta_type       = 'AccessControl Test'
>
>     security = ClassSecurityInfo()
>     security.declareObjectProtected('View')
>
> However it makes no assertion for the attribute 'get_sum_of_values':
>
>     ############################################################
>     def get_sum_of_values(self):
>         """
>     """
>     return self.value1 + self.value2
>
> AFAICT, the new behavior is perfectly correct here:  absent either an 
> explicit permisison declaration for 'get_sum_of_values', or a "blanket 
> grant" for unprotected subobjects (e.g, 
> 'security.setDefaultAccess(1)'), the template which fails *should* 
> fail;  the fact that it used to succeed was merely a security hole.
>
> Tres.

Hi again,

Adding a  security.declareProtected('View', 'get_sum_of_values') results
in the same error.

Anyway, I can't understand a behaviour that allows to access a method
directly from the URL and crashes when the access is done from a ZPT.

If what you want to do is that all methods without explicit permission
declaration be considered private, direct access from an URL should also
raise an Unauthorized error, I think.

On the other hand, I don't think that current code could be considered a
security hole.  If a method is unprotected, then the protection of the
object itself is applied.   I like it.  But I understand that this is a
personal opinion.  I supose the change is due to some security hole found.

Regards

Santi Camps
http://www.earcon.com

More information about the Zope-Dev mailing list