[Zope] Bug in object security?

Tres Seaver tseaver@palladion.com
Tue, 22 Feb 2000 16:36:23 -0600 

"James W. Howe" <jwh@allencreek.com> wrote:
> 
> I've encountered a strange behavior with the Zope security mechanism which
> strikes me as a bug.  Here is what I've done:
> 
> 1. Create a folder in root named 'AccessTest'
> 2. Create a user folder in AccessTest
> 3. Define a role for AccessTest called 'Publisher'
> 4. Create a user in the acl_users directory and grant the user 'Publisher'
> access
> 5. From the AccessTest security tab, disable 'Access contents information'
> for anyone except the manager.
> 6. From the AccessTest security tab, enable 'View management screens' for
> Manager and Publisher.
> 
>  From a fresh browser (no previous authentication), attempt to access the
> management interface for AccessTest (i.e.
> http://foo.com:8080/AccessTest/manage).  Log in as the 'Publisher'
> user.  The screen displaying the contents of the AccessFolder will be
> displayed.  However, this is where I think a mistake has been made.
> 
> In ObjectManager, the 'View management screens' has been associated with
> manage_main and manage_menu.  Similarly, ObjectManager defines the 'Access
> contents information' for the methods objectIds, objectValues and
> objectItems.  When I disable 'Access contents information' for my Publisher
> role, it would seem that users with this role should not be able to access
> these methods.  However, the manage_main dtml code which defines the
> contents view of the management interface makes use of these methods.  When
> the manage_main dtml is rendered, why doesn't Zope prompt for
> authentication when manage_main attempts to access objectItems, for example?
> 
> I'm sure there is a very reasonable explanation, but it strikes me as odd.

The likeliest explanation for this feature is that manage_main has a "proxy
role" which permits it to have access beyond that of the user who called it. 
Like the setuid/setgid bits on an executable file in a Unix filesystem, proxy
roles allow for controlled access to features;  also like those bits, proxy
roles could potentially open security holes, if an untrusted user is able to
modify the text of the method which has them.

Tres.
-- 
=========================================================
Tres Seaver         tseaver@palladion.com    713-523-6582
Palladion Software  http://www.palladion.com