[zope2-tracker] [Bug 580912] [NEW] Storing method instance of user written class in list confuses Zope access control system.
Tony Middleton
launchpad at perusal.info
Sat May 15 07:05:26 EDT 2010
Public bug reported:
After moving from Zope 2.10 to 2.12 some existing Python code which
accesses self written packages failed. I have created a small test
module to show the problem.
Here is Products/testp/testm.py
class testc:
def __init__(self,testval):
self.testval = testval
def testv(self):
return self.testval
And here is Products/testp/__init__.py
from AccessControl import allow_module
from AccessControl import allow_class
allow_module("Products.testp")
allow_module("Products.testp.testm")
from Products.testp.testm import testc
allow_class(testc)
The following Script(Python) works as you might expect.
from Products.testp.testm import testc
xx = testc(7)
return xx.testv()
As does the following
from Products.testp.testm import testc
xx = testc(7)
yy = xx.testv
return yy()
But the following fails
from Products.testp.testm import testc
xx = testc(7)
yy = [xx.testv]
zz = yy[0]
return zz()
With error
Error Type: Unauthorized
Error Value: You are not allowed to access 'testv' in this context
I am using Zope 2.12.5 and Python 2.6.5
The same code works fine in Zope 2.10.
** Affects: acquisition
Importance: Undecided
Status: New
--
Storing method instance of user written class in list confuses Zope access control system.
https://bugs.launchpad.net/bugs/580912
You received this bug notification because you are a member of Zope 2
Developers, which is the registrant for Acquisition.
More information about the zope2-tracker
mailing list