[Zope] Re: recursion problem with newer security machinery

Tres Seaver tseaver at zope.com
Wed Jan 19 10:24:08 EST 2005 

Christopher N. Deckard wrote:

> We recently upgraded to 2.6.4, and are now having a problem with our 
> custom UserFolder Product.  I've narrowed everything down to a few 
> methods, but am at a loss on how to fix it.
> 
> In our UserFolder User class, we have overridden getRolesInContext to 
> look for a Python Script (we call it an "authorize script"), in parent 
> folders of the published object.  It then calls each script to 
> programatically add roles at runtime.  This works great with Zope 2.6.2. 
>  I have noticed that in Zope 2.6.4 the method Bindings._getContext in 
> Shared/DC/Scripts/Bindings.py has new validate code in it.  I believe 
> this is what is causing the problem for us.
> 
> What is strange is that this is only a problem when using 
> ExternalEditor, and when the container of the object we are trying to 
> edit contains an "authorize script".  From the ZMI there are no 
> problems, and from folders under the folder with the "authorize script" 
> there are no problems editing with ExternalEditor.
> 
> Any help would be appreciated.  Below is our code, and the two 
> _getContext implementations for quicker reference.

The recursion problem stems from the fact that the new bindings 
machinery wants to ensure that the user has roles for the context before 
binding it, but you need the script to run to determine whether the user 
has roles.  The older code created a nasty security issue for sites 
which made it possible for untrusted users to write PythonScripts.

I don't know that this will work, but try giving the script
proxy role of 'Manager';  if that works, then you are set.

If it doesn't work, then I believe you need to look at converting your 
PythonScripts to instances of a "tool" class which can run the check as 
trusted code.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

More information about the Zope mailing list