[Zope-PAS] maxlistusers and OverflowError
Jens Vagelpohl
jens at dataflake.org
Wed Dec 8 17:37:42 EST 2004
The OverflowError is supposed to be caught in the local role form that
is accessible from the Security ZMI tab. If the OverflowError happens
the form will show a simple text input widget to type in a user's ID
and not try to list all users from the user folder, which is a really
bad idea in many situations.
IMHO Silva should catch the error in its call to get_valid_userids. Any
call that attempts to list all users is highly dangerous and should not
be used at all or with caution.
jens
On Dec 8, 2004, at 21:57, Willi Langenberger wrote:
> Hi!
>
>
> The class PluggableAuthService defines "maxlistusers = -1":
>
> class PluggableAuthService( Folder, Cacheable ):
> [...]
> maxlistusers = -1 # Don't allow local role form to try to list
> us!
>
> However, the RoleManager method "get_valid_userids", has the following
> lines in it:
>
> Zope-2.7.2/lib/python/AccessControl/Role.py:
>
> class RoleManager(ExtensionClass.Base,
> PermissionMapping.RoleManager):
> [...]
>
> def get_valid_userids(self):
> item=self
> dict={}
> _notfound = []
> while 1:
> aclu = getattr(aq_base(item), '__allow_groups__',
> _notfound)
> if aclu is not _notfound:
> mlu = getattr(aclu, 'maxlistusers', _notfound)
> if type(mlu) != type(1): mlu = DEFAULTMAXLISTUSERS
> if mlu < 0: raise OverflowError
> ^^^^^^^^
>
> Thus, maxlistusers < 0 raises an OverflowError.
>
> This seems to bite us, when we try to install Silva. Selecting "Silva
> Root" from the Product Add Menu, gives the following errorpage:
>
> Exception Type OverflowError
> Exception Value
>
> Traceback (innermost last):
> Module ZPublisher.Publish, line 98, in publish
> Module ZPublisher.mapply, line 88, in mapply
> Module ZPublisher.Publish, line 39, in call_object
> Module Products.Silva.Root, line 317, in manage_addRoot
> Module Products.Silva.install, line 96, in installFromScratch
> Module Products.Silva.install, line 625, in installSilvaDocument
> Module Products.Silva.Security, line 260, in
> sec_update_last_author_info
> Module Products.Silva.Security, line 227, in sec_get_member
> Module Products.Silva.SimpleMembership, line 191, in
> get_cached_member
> Module Products.Silva.SimpleMembership, line 177, in get_member
> Module Products.Silva.SimpleMembership, line 172, in is_user
> Module AccessControl.Role, line 314, in get_valid_userids
> OverflowError
>
> So my questions are:
>
> - what is the rationale behind setting maxlistusers to -1?
>
> - could this prevent some (user-listing) functions from working
> correctily?
>
> - or, is it Silva's fault (should it catch the OverflowError)?
>
> We got it to work by setting maxlistusers to 20, but i doubt this is
> the right way to fix it...
>
>
> Cheers,
>
>
> \wlang{}
>
> --
> Willi.Langenberger at wu-wien.ac.at Fax: +43/1/31336/9207
> Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria
> _______________________________________________
> Zope-PAS mailing list
> Zope-PAS at zope.org
> http://mail.zope.org/mailman/listinfo/zope-pas
>
---------------
Jens Vagelpohl jens at zetwork.com
Software Engineer +49-(0)441-36 18 14 38
Zetwork GmbH http://www.zetwork.com/
More information about the Zope-PAS
mailing list