[Zope-dev] Re: security problem in an monkey-patch

Tres Seaver tseaver at palladion.com
Wed Sep 19 10:16:37 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joachim Schmitz wrote:
> Hi,
> 
> I have monkey-patched the QueueCatalog to adopt it to our needs, which 
> works fine. I now wanted to introduce a new feature:
> 
> The QueueCatalog should be bypassed during mass-import of data.
> So I introduced a new variable "_bypass", and new getBypassQueue() and 
> setBypassQueue methods in the monkey-patch:
> 
> security.declareProtected(view_management_screens, 'getBypassQueue')
> def getBypassQueue(self):
>      "get _by_pass"
>      if not hasattr(self,"_bypass"):
>          self._bypass = False
>      return self._bypass

I would write this as:

   return getattr(self, '_bypass', False)

avoiding both write-on-read and hasattr in one fell swoop.

> security.declareProtected(view_management_screens, 'setBypassQueue')
> def setBypassQueue(self, bypass=False):
>      "set _bypass"
>      self._bypass = bypass
> 
> from Products.QueueCatalog.QueueCatalog import QueueCatalog
> QueueCatalog.getBypassQueue = getBypassQueue
> QueueCatalog.setBypassQueue = setBypassQueue
> 
> 
> I can invoke these methods from the url like:
> 
> ../portal_catalog/setBypassQueue?bypass=1
> 
> and
> 
> ../portal_catalog/getBypassQueue
> displays a 1
> 
> But when I do a:
> 
> <input type="checkbox" name="enable_bypass"
> 	               tal:attributes="checked
> 		       here/portal_catalog/getBypassQueue" />
> 
> I get:
> Unauthorized: The container has no security assertions.  Access to 
> 'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.
> 
> What I am missing here.

You need to supply security assertions for the new method you have adeed
to the class (your security assertions are being "left behind" in the
context where you defined the function)..  Likely you can add another
attribute to the class, 'getBypassQueue__roles__', with the value being
a tuple, ('Manager',)  (unless you want to figure out how to create a
PermissionRoles object yourself).



Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG8S9F+gerLs4ltQ4RAp8kAJ4xECJyWPwPzvkOdDNiNGA3Vp6zNACg0bI5
41ihaq521kUpdFKgieWa0+A=
=IBzZ
-----END PGP SIGNATURE-----

More information about the Zope-Dev mailing list