PluggableAuthService._authorizeUser() silently eats Unauthorized exceptions
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Zope 2 |
Invalid
|
Undecided
|
Unassigned | ||
| Zope PAS |
New
|
Undecided
|
Unassigned | ||
Bug Description
[copied from http://
I don't know when this has happened, but PluggableAuthSe
Particularly it looks like at least when resolving List Folder Contents for folder_contents view, the exception gets eaten.
Later this is translated to very unhelpful error message by ZPublisher
I am not sure how this exception should be handled, as it seems that _authorizeUser() might be called many times by the same request. I recommend if the verbose security is on, we log all the errors to logging output as INFO level, at least get some hint what's going on.
Plone 4.1 and some customizations in place - I did not try this in vanilla Plone yet, as I am still debugging what's causing the permission problem in the first place.
{{{
Traceback (innermost last):
Module ZPublisher.Publish, line 115, in publish
Module ZPublisher.
Module ZPublisher.
Unauthorized: <strong>You are not authorized to access this resource.
No Authorization header found.</p>
}}}
Below is a stop gap fix, also showing the code in the question, where the hair pulling happens
{{{
security.
def _authorizeUser( self
""" -> boolean (whether user has roles).
o Add the user to the SM's stack, if successful.
o Return
"""
user = aq_base( user ).__of__( self )
security = getSecurityMana
print "Validating security"
try:
try:
if roles is _noroles:
except Exception, e:
except Unauthorized, e:
import traceback ; traceback.
pass
return 0
}}}
| Hanno Schlichting (hannosch) wrote | #1 |
| Changed in zope2: | |
| status: | New → Invalid |
The report is for PAS - not Zope2.