[Zope-dev] Patch for attribute permisions problems in Zope 2.7.3

Santi Camps scamps at earcon.com
Fri Oct 29 05:36:33 EDT 2004


Hi all again,

We have been written last week about some attribute permission problems 
with Zope 2.7.3 beta due to a patch applied by Tres. 

First of all, Tres, apologies for my too fast written test case and my 
too late test of Zope 2.7.3.   Now, with some more time, I've tested and 
debugged on Zope 2.7.3 and found exactly what's happen.  

Supose we have a structure of objects like this:    A.__of__(B)
"A" inherits from Acquisition.Implicit, has security assertions, but has 
not __allow_access_to_unprotected_subojects__
We want to access, from a Zope Page Template, an attribute of "B" that 
is not present in "A"
Accessing B.our_attribute attribute works fine.   But accessing 
A.__of__(B).our_attribute fails, and should work.

The problem is the call to "validate" done in "guarded_getattr" method 
of ImplPython.py.  The actual call is "if validate(inst, inst, name, 
v)", but the validate function says:

Arguments:
        accessed -- the object that was being accessed
        container -- the object the value was found in
        name -- The name used to access the value
        value -- The value retrieved though the access.
        roles -- The roles of the object if already known.

Now, "accessed" and "container" are always the same, and in some cases 
should be different.   I attach a patch to solve this case that works 
for me.  I'm not sure if my code is the best way to solve the problem 
but, as I said, it seems to work fine.  

Of course, If the patch is accepted, the same change should be done in 
the C version.

Thanks

Santi Camps
http://www.earcon.com


-------------- next part --------------
--- ImplPython.py	2004-08-07 19:15:48.000000000 +0200
+++ /usr/local/zope273/lib/python/AccessControl/ImplPython.py	2004-10-29 10:56:11.000000000 +0200
@@ -534,6 +534,12 @@
         # exceptions are caught early.
         try:
             v = getattr(inst, name)
+            container = inst
+            while hasattr(container,'aq_explicit') and \
+                  not(hasattr(container.aq_explicit, name)) and \
+                  hasattr(container, 'aq_parent'):
+                # Find real container when attribute is acquired
+                container = container.aq_parent
         except AttributeError:
             if default is not _marker:
                 return default
@@ -551,6 +557,6 @@
             return v
 
         validate = SecurityManagement.getSecurityManager().validate
-        if validate(inst, inst, name, v):
+        if validate(inst, container, name, v):
             return v
     raise Unauthorized, name


More information about the Zope-Dev mailing list