[zope2-tracker] [Bug 1248529] [NEW] New SecurityManager in AccessControl.RoleManager.manage_getUserRolesAndPermissions breaking permissions check

[Gagaro]

Public bug reported:

Hello,

There is a newSecurityManager in manage_getUserRolesAndPermissions which
change the user of the security context:

https://github.com/zopefoundation/AccessControl/blob/master/src/AccessControl/rolemanager.py#L161

However, the original security manager is not reset at the end of the
method. This means that the security context is changed for the rest of
the transaction. The problem is that the new security context is not
good. For example for a plone site as such:

plone-site
plone-site/object-1
plone-site/object-2

If a call this method while in plone-site/object-1, the new security
context will be:

And the parent of this PAS will be /plone-site/object-1. So if I try to
access plone-site/object-2 (e.g.: using a restrictedTraverse), the
access will be denied because my user account is not in the context of
object-2. Exact error message is:

"Your user account is defined outside the context of the object being
accessed."

For info, the check failing is aq_inContextOf.

Is the newSecurityManager really necessary ? And if it is, shouldn't the
original security manager be saved and reset at the end of the method
(i.e.: sm = getSecurityManager() [...] setSecurityManager(sm)) ?

Thanks

** Affects: zope2
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
https://bugs.launchpad.net/bugs/1248529

Title:
  New SecurityManager in
  AccessControl.RoleManager.manage_getUserRolesAndPermissions breaking
  permissions check

To manage notifications about this bug go to:
https://bugs.launchpad.net/zope2/+bug/1248529/+subscriptions