[Zope-PAS] maxlistusers and OverflowError

Jens Vagelpohl jens at dataflake.org
Wed Dec 8 17:37:42 EST 2004 

The OverflowError is supposed to be caught in the local role form that 
is accessible from the Security ZMI tab. If the OverflowError happens 
the form will show a simple text input widget to type in a user's ID 
and not try to list all users from the user folder, which is a really 
bad idea in many situations.

IMHO Silva should catch the error in its call to get_valid_userids. Any 
call that attempts to list all users is highly dangerous and should not 
be used at all or with caution.

jens



On Dec 8, 2004, at 21:57, Willi Langenberger wrote:

> Hi!
>
>
> The class PluggableAuthService defines "maxlistusers = -1":
>
>   class PluggableAuthService( Folder, Cacheable ):
>       [...]
>       maxlistusers = -1   # Don't allow local role form to try to list 
> us!
>
> However, the RoleManager method "get_valid_userids", has the following
> lines in it:
>
>   Zope-2.7.2/lib/python/AccessControl/Role.py:
>
>   class RoleManager(ExtensionClass.Base, 
> PermissionMapping.RoleManager):
>       [...]
>
>       def get_valid_userids(self):
>           item=self
>           dict={}
>           _notfound = []
>           while 1:
>               aclu = getattr(aq_base(item), '__allow_groups__', 
> _notfound)
>               if aclu is not _notfound:
>                   mlu = getattr(aclu, 'maxlistusers', _notfound)
>                   if type(mlu) != type(1): mlu = DEFAULTMAXLISTUSERS
>                   if mlu < 0: raise OverflowError
>                      ^^^^^^^^
>
> Thus, maxlistusers < 0 raises an OverflowError.
>
> This seems to bite us, when we try to install Silva. Selecting "Silva
> Root" from the Product Add Menu, gives the following errorpage:
>
>   Exception Type    OverflowError
>   Exception Value
>
>   Traceback (innermost last):
>     Module ZPublisher.Publish, line 98, in publish
>     Module ZPublisher.mapply, line 88, in mapply
>     Module ZPublisher.Publish, line 39, in call_object
>     Module Products.Silva.Root, line 317, in manage_addRoot
>     Module Products.Silva.install, line 96, in installFromScratch
>     Module Products.Silva.install, line 625, in installSilvaDocument
>     Module Products.Silva.Security, line 260, in 
> sec_update_last_author_info
>     Module Products.Silva.Security, line 227, in sec_get_member
>     Module Products.Silva.SimpleMembership, line 191, in 
> get_cached_member
>     Module Products.Silva.SimpleMembership, line 177, in get_member
>     Module Products.Silva.SimpleMembership, line 172, in is_user
>     Module AccessControl.Role, line 314, in get_valid_userids
>   OverflowError
>
> So my questions are:
>
>   - what is the rationale behind setting maxlistusers to -1?
>
>   - could this prevent some (user-listing) functions from working
>     correctily?
>
>   - or, is it Silva's fault (should it catch the OverflowError)?
>
> We got it to work by setting maxlistusers to 20, but i doubt this is
> the right way to fix it...
>
>
> Cheers,
>
>
> \wlang{}
>
> -- 
> Willi.Langenberger at wu-wien.ac.at                Fax: +43/1/31336/9207
> Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria
> _______________________________________________
> Zope-PAS mailing list
> Zope-PAS at zope.org
> http://mail.zope.org/mailman/listinfo/zope-pas
>

---------------

Jens Vagelpohl			jens at zetwork.com
Software Engineer			+49-(0)441-36 18 14 38
Zetwork GmbH				http://www.zetwork.com/

More information about the Zope-PAS mailing list