Silva

accessing the SMI directly if public view access restrictions is set leads to AttributeError instead of authorization

Bug #100907 reported by Clemens Robbenhaar
12
Affects Status Importance Assigned to Milestone
Silva
Fix Released
Medium
Joachim Scmitz

Bug Description

Steps to reproduce:

 a) set an access restriction on the Silva Root of
    e.g. "Viewer" (at least not authenticated)
 b) logout or resart the browser
 c) go directly to the SMI without visiting the public view

instead of an authorization popup one gets an error page with
an AttributeError

This has been originally reported by Samuel Schluep in

http://lists.infrae.com/pipermail/silva-dev/2003q4/000870.html

(and earlier by myself in
http://lists.infrae.com/pipermail/silva-dev/2003q2/000168.html
but I did not figure out that the view restriction is an important part
of the puzzle, so nobody has been able to reproduce this :-/ )

Surprisingly this does not cause problems when accessing the SMI
via appending "/edit/tab_edit", only when appending "/edit"

A possible fix is to declare a security restriction on
the "edit" attribute of SilvaObject.
 I have just checked this and it seems to work.

Before I check in anything related to this issue, could please someone
else try to reploduce it?

Tags: silva-0.9.1
Revision history for this message
Philipp Schroeder (philipp.schroeder) wrote :

Hi Clemens,

We have discovered this bug a couple of weeks ago, but didn't submit it becasue
we couldn't figure out whether it really was a silva bug or something we were
doing wrong with our general zope permission settings!

So yes, I can reproduce this with Silva 0.9.2.5.

Revision history for this message
Clemens Robbenhaar (crobbenhaar) wrote :

I am going to check in a fix this evening (not earlier, sorry).

This should fix the issue for Silva-0.9.2 and .3

unfortunately I don't have an operable instance for the tip
of the 0.9.1-branch yet. Is someone else there who could
put in the chnages there?

Revision history for this message
Clemens Robbenhaar (crobbenhaar) wrote :

Issue should be fixed on the cvs head
and the 0.9.2 branch

Revision history for this message
Samuel Schluep (schluep) wrote :

I have tested the new SilvaObject of the Silva-0.9.2 branch. It is ok. Thanks!

Revision history for this message
Joachim Scmitz (js-aixtraware) wrote :

tested with 0.9.3 o.k.

Revision history for this message
Joachim Scmitz (js-aixtraware) wrote :

could someone test this with 0.9.1

Revision history for this message
Clemens Robbenhaar (crobbenhaar) wrote :

no need to test:
it is not fixed in 0.9.1 if I did not overlooked something

Revision history for this message
Joachim Scmitz (js-aixtraware) wrote :

tested with 0.9.2 o.k.

so setting to resolved

Revision history for this message
Joachim Scmitz (js-aixtraware) wrote :

forgott to resolve

Revision history for this message
Martijn Faassen (faassen) wrote :

> it is not fixed in 0.9.1 if I did not overlooked something

Reviving this one, though I hope we can re-resolve it quickly. It seems the
problem may still persist in 0.9.1? Or did I miss something and was this tested
and resolved as well?

Revision history for this message
Clemens Robbenhaar (crobbenhaar) wrote :

no, isn't fixed for 0.9.1.

 a simple 'cvs up -j 1.83.2.3 -j 1.83.2.4 SilvaObject.py'
+ commit on a checkout of the Silva-0_9_1-branch should fix it.

I don't have a running 0.9.1-instance thus I did not do it.

Revision history for this message
Clemens Robbenhaar (crobbenhaar) wrote :

Well, this issue _should_ be fixed right now on the 0.9.1-branch, too.

Revision history for this message
Kit Blake (kitblake) wrote :

(Old issue cleanup)

Changed in silva:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.