[Zope] Re: External Method and XML-PRC (Maybe a bug)

Tres Seaver tseaver at palladion.com
Tue Jan 9 21:30:19 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Phani Kumar Arava wrote:
> Hi,
> Iam trying to use Zope as an App server (basically to provide an XML-RPC
> interface) for a certain application .
> 
> I have a function called addFile in the External Method.
> 
> def ext_addfile(self):
>         ob=self.Files
>         ob.manage_addFile("hello","hello")
> 
> I created an external method call ext_addFile()
> 
> Now I write my client using xml-rpc lib
> 
> s=xmlrpclib.Server("<hostname>")
> s.ext_addFile()
> 
> And this adds a file to my directory. This freaked me out. Because i was
> anonymous user and this shdnt happen. The next thing i did was create a
> python script of the same structure and called it addFile()
> 
> ob=context.Files
> ob.manage_addFile("hello","hello")
> 
> Now I run my  client xml-rpc program
> s=xmlrpclib.Server("<hostname>")
> s.addFile()
> 
> and its fiving me unauthorized as expected.
> 
> So basically i dont know why is this happening. Is this due to some
> permission problems i have on the directory or External Methods, or
> something which iam totally missing.

By design, ExternalMethods run as "trusted" code -- if a user has "View"
permission on the EM object, then its code will run, without performing
the security checks done by "untrusted" PythonScript objects.  You need
either to protect the EM object itself (removing the "View" permission
on that object should be enough), or else do the security check within
the EM code itself.  E.g.::

  from AccessControl import getSecurityManager, Unauthorized
  from AccessControl.Permissions import add_documents_images_and_files
  sm = getSecurityManager()
  if not sm.checkPermission(add_documents_images_and_files, self):
     raise Unauthorized("Can't add files here!")



Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFpE+7+gerLs4ltQ4RAqS7AKCyr38A61sxIl4PvxdF5XYUcSVv3QCfb80T
NeXVyp3fpSX0K6XpHeBlVZg=
=jDHJ
-----END PGP SIGNATURE-----



More information about the Zope mailing list