[zope2-tracker] [Bug 1023561] [NEW] PluggableAuthService._authorizeUser() silently eats Unauthorized exceptions

kleist kleist at postkiosk.de
Wed Jul 11 19:00:43 UTC 2012


Public bug reported:

[copied from http://dev.plone.org/ticket/12273]

I don't know when this has happened, but
PluggableAuthService._authorizeUser() silently eats Unauthorized
exceptions, making debugging some of permission problem cases
impossible.

Particularly it looks like at least when resolving List Folder Contents
for folder_contents view, the exception gets eaten.

Later this is translated to very unhelpful error message by ZPublisher

I am not sure how this exception should be handled, as it seems that
_authorizeUser() might be called many times by the same request. I
recommend if the verbose security is on, we log all the errors to
logging output as INFO level, at least get some hint what's going on.

Plone 4.1 and some customizations in place - I did not try this in
vanilla Plone yet, as I am still debugging what's causing the permission
problem in the first place.

{{{
Traceback (innermost last):
  Module ZPublisher.Publish, line 115, in publish
  Module ZPublisher.BaseRequest, line 625, in traverse
  Module ZPublisher.HTTPResponse, line 756, in unauthorized
Unauthorized: <strong>You are not authorized to access this resource.</strong><p>
No Authorization header found.</p>
}}}

Below is a stop gap fix, also showing the code in the question, where
the hair pulling happens

{{{
  security.declarePrivate( '_authorizeUser' )
    def _authorizeUser( self
                      , user
                      , accessed
                      , container
                      , name
                      , value
                      , roles=_noroles
                      ):

        """ -> boolean (whether user has roles).

        o Add the user to the SM's stack, if successful.

        o Return
        """
        user = aq_base( user ).__of__( self )
        newSecurityManager( None, user )
        security = getSecurityManager()
        print "Validating security"
        try:
            try:
                if roles is _noroles:
                    if security.validate( accessed
                                        , container
                                        , name
                                        , value
                                        ):
                        return 1
                else:
                    if security.validate( accessed
                                        , container
                                        , name
                                        , value
                                        , roles
                                        ):
                        return 1
            except Exception, e:
                import traceback ; traceback.print_exc()
                noSecurityManager()
                raise

        except Unauthorized, e:
            import traceback ; traceback.print_exc()            
            pass

        return 0
}}}

** Affects: zope2
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
https://bugs.launchpad.net/bugs/1023561

Title:
  PluggableAuthService._authorizeUser() silently eats Unauthorized
  exceptions

To manage notifications about this bug go to:
https://bugs.launchpad.net/zope2/+bug/1023561/+subscriptions


More information about the zope2-tracker mailing list