[Zope-dev] Broken authentication with zope.app.component 3.4.1 BBB code

Marius Gedminas marius at gedmin.as
Wed Jul 15 16:08:41 EDT 2009 

I've a bit of fun debugging an authentication issue in an application
that recently upgraded to Zope 3.4 (using the 3.4.0 KGS).  The issue was
that groups defined in ZCML (such as zope.Everybody) did not get applied
to principals (if "applied" is the right word here).

Debugging this led me to this quiet little marvel of code in
zope.securitypolicy.zopepolicy:

            try:
                group = getPrincipal(group_id)
            except PrincipalLookupError:
                # It's bad if we have an undefined principal,
                # but we don't want to fail here.  But we won't
                # honor any grants for the group. We'll just skip it.
                continue

and from there to zope.app.authentication.authentication

    def getPrincipal(self, id):
        if not id.startswith(self.prefix):
            next = queryNextUtility(self, IAuthentication)
            if next is None:
                raise PrincipalLookupError(id)
            return next.getPrincipal(id)

where queryNextUtility unexpectedly returned None instead of chaining to
the global IAuthentication utility, which would know about groups such
as 'zope.Everybody'.

Comparing the database I have here (which has been in production for
years) with a freshly-created new database I noticed a difference in
LocalSiteManager's attributes: old db had __bases__ == (), new db had
__bases__ = (<BaseGlobalComponents>, ).

An hour of cursing and fighting buildout.cfg later, I had a branch of
zope.app.component where I could run the test suite.  I could reproduce
the issue in the unit tests and released a fix as zope.app.component 3.4.2.

This is a pretty serious issue, so I'd appreciate some review from
people who know about local component registries.  The fix is here:

  http://svn.zope.org/zope.app.component/?rev=101931&view=rev

I'm also wondering whether we ought to release an updated versions.cfg
(as Zope KGS 3.4.1 perhaps), since the BBB issue is insidious and
difficult to notice.

Marius Gedminas
-- 
http://pov.lt/ -- Zope 3 consulting and development
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20090715/a3070795/attachment.bin

More information about the Zope-Dev mailing list