[zope2-tracker] [Bug 580912] [NEW] Storing method instance of user written class in list confuses Zope access control system.

Tony Middleton launchpad at perusal.info
Sat May 15 07:05:26 EDT 2010


Public bug reported:

After moving from Zope 2.10 to 2.12 some existing Python code which
accesses self written packages failed.  I have created a small test
module to show the problem.

Here is Products/testp/testm.py

class testc:
  def __init__(self,testval):
    self.testval = testval
  def testv(self):
    return self.testval

And here is Products/testp/__init__.py

from AccessControl import allow_module
from AccessControl import allow_class

allow_module("Products.testp")
allow_module("Products.testp.testm")

from Products.testp.testm import testc
allow_class(testc)

The following Script(Python) works as you might expect.

from  Products.testp.testm import testc
xx = testc(7)
return xx.testv()

As does the following

from  Products.testp.testm import testc
xx = testc(7)
yy = xx.testv
return yy()

But the following fails

from  Products.testp.testm import testc
xx = testc(7)
yy = [xx.testv]
zz = yy[0]
return zz()

With error

Error Type: Unauthorized
Error Value: You are not allowed to access 'testv' in this context

I am using Zope 2.12.5 and Python 2.6.5

The same code works fine in Zope 2.10.

** Affects: acquisition
     Importance: Undecided
         Status: New

-- 
Storing method instance of user written class in list confuses Zope access control system.
https://bugs.launchpad.net/bugs/580912
You received this bug notification because you are a member of Zope 2
Developers, which is the registrant for Acquisition.


More information about the zope2-tracker mailing list