[Zope-dev] Re: Patch for attribute permisions problems in Zope 2.7.3

Tres Seaver tseaver at zope.com
Thu Feb 17 22:44:05 EST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Santi Camps wrote:

| We have been written last week about some attribute permission problems
| with Zope 2.7.3 beta due to a patch applied by Tres.
| First of all, Tres, apologies for my too fast written test case and my
| too late test of Zope 2.7.3.   Now, with some more time, I've tested and
| debugged on Zope 2.7.3 and found exactly what's happen.
| Supose we have a structure of objects like this:    A.__of__(B)
| "A" inherits from Acquisition.Implicit, has security assertions, but has
| not __allow_access_to_unprotected_subojects__
| We want to access, from a Zope Page Template, an attribute of "B" that
| is not present in "A"
| Accessing B.our_attribute attribute works fine.   But accessing
| A.__of__(B).our_attribute fails, and should work.
|
| The problem is the call to "validate" done in "guarded_getattr" method
| of ImplPython.py.  The actual call is "if validate(inst, inst, name,
| v)", but the validate function says:
|
| Arguments:
|        accessed -- the object that was being accessed
|        container -- the object the value was found in
|        name -- The name used to access the value
|        value -- The value retrieved though the access.
|        roles -- The roles of the object if already known.
|
| Now, "accessed" and "container" are always the same, and in some cases
| should be different.   I attach a patch to solve this case that works
| for me.  I'm not sure if my code is the best way to solve the problem
| but, as I said, it seems to work fine.
| Of course, If the patch is accepted, the same change should be done in
| the C version.

Jim and I worked through this, and ended up putting back the use of
'aq_acquire' to do the validation, precisely becuase *it* knows what the
real container is (from guarded_getattr, you have to guess).  Please
verify that the head of the 2.7 branch resolves the issues you found.

Thanks very much for your work on this issue.  I'm sorry I let it slide
so long,

Tres.
- --
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD4DBQFCFWSEGqWXf00rNCgRAtxAAJisR/4jFULrp9Lyd9mvubtF1y8MAJsE0/Vy
NTXbqXc+olXYl3SVxiWW8w==
=1hOE
-----END PGP SIGNATURE-----

More information about the Zope-Dev mailing list