[Zope-dev] Re: PermissionGeddon

Hanno Schlichting schlichting at bakb.net
Sat Nov 26 03:28:34 EST 2005 

Florent Guillaume wrote:
> I've done a big checkin to switch practically everything to the new- 
> style (actually they're 5 years old) security declarations.
> I'd appreciate if another set of eyes could double-check everything;  
> while I've taken a number of steps to ensure I didn't make mistakes  you 
> never know...
> 
> http://mail.zope.org/pipermail/zope-checkins/2005-November/030103.html
> 
> Thanks,
> 
> Florent

Hi Florent.

I have spent some time to run all unit tests of Plone (2.1.1) and all 
it's core products on Zope 2.9 and look into the failing tests.

I hope to have tracked the ~200 failing tests down to two of your 
changes in OFS.CopySupport.

The first change is in the manage_pasteObjects method of CopyContainer. 
There are some _setObject and _delObject calls which grew a new 
suppress_events parameter. This breaks the reference implementation of 
Archetypes because it uses something based on BTreeFolder2 to store 
references and BTreeFolder2 overwrites both _setObject and _delObject 
with its own versions.

As I'm quite new to Zope internals I suppose fixing BTreeFolder2 is the 
right thing here (adding the new parameter on both of its methods). But 
this change might effect some more products which have overwritten these 
methods as CopySupport is a base class of OFS.Folder and so probably of 
every folderish type out there.

The second change is actually related to your permission work. First of 
all I have to thank you for your great work :) But I have found one 
nasty thing.

CopySupport had the following security declaration:

__ac_permissions__=(('Copy or Move', (), ('Anonymous', 'Manager',)),)
...
Globals.default__class_init__(CopySource)

which changed into:

security = ClassSecurityInfo()
security.setPermissionDefault(copy_or_move, ('Anonymous', 'Manager'))
...
InitializeClass(CopySource)

Now the InitializeClass call is actually an alias for the former Globals 
call, so no change here. But as you wrote yourself, you had some trouble 
with the mysterious __ac_permissions format.

Looking at the actual code in App.class_init in the last paragraph I'm 
quite sure that the former code did effectivly nothing so far. The 
actual setattr call is inside a 'for mname in mnames:' loop where mnames 
is the second element of each security tuple - in this special case the 
mysterious () which results in not going through the 'for mname in 
mnames:' loop at all.

In the Plone unit tests this results in about 190 failing tests as 
inserting an object into a folder isn't allowed anymore for normal 
members because this triggers some code in a Referenceable class which 
is based on CopySupport directly, which required no extra permission so 
far but now is protected through the 'Copy or Move' permission.

While I guess that protecting the class with this permission has been 
the intent it was not in effect so far. So this should be either 
reconsidered or at least noted in the changelog. Changing this in 
Archetypes shouldn't be a problem (though I'm very new to Zope's 
permissions system).

I hope this is the kind of feedback you wanted to get other than GREAT 
WORK! ;)

Hanno

---
IRC: hannosch

More information about the Zope-Dev mailing list