ImplPython initialisation is also required for ImplC
Bug #1169923 reported by
Kazuhiko
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Undecided
|
Tres Seaver |
Bug Description
ImplC's checkPermission() just calls ImplPython's checkPermission(), but ImplPython is not initialised based on the configuration. Thus 'skip-ownership
I found this issue on Zope 2.12.26 but this issue exist on the current Zope and AccessControl repositories as well.
Changed in zope2: | |
milestone: | none → 2.13.21 |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I have written two patches fixing this issue (FTR, with both patches applied, all the tests from AccessControl are passing):
1) The main patch defines getattr() in C implementation of ZopeSecurityPolicy. Thus, when checkPermission() (ImplPython) is called (from ImplC.ZopeSecur ityPolicy. checkPermission ()) and access _ownerous and _authenticated instance attributes, getattr() returns their expected values from ImplC ownerous and authenticated static variables. Before, it was just returning instance attributes set in ImplPython ZopeSecurity() constructor, thus ignoring completely ImplC ones. This is actually very similar to what is done with SecurityManager thread_id and context for example.
Another different implementation could have been to use PyObject for ownerous and authenticated (like C implementation of SecurityManager does actually), but I don't think that's necessary and it makes things more complicated.
I didn't define setattr() in C implementation of ZopeSecurityPolicy because I don't think that's relevant, but I initially defined it, so let me know if you want me to attach that patch as well.
2) The second smaller patch fixes a typo leading authenticated to never be set from setDefaultBehav iors() parameter value.
In order to debug this issue, I created one Python Script whose owner is 'System Processes' and with 'Manager' as Proxy Roles. This script calls checkPermission() on an object where only Manager has 'Access contents information' permission. After setting 'skip-ownership -checking' to 'on' in zope.conf and trying to access the script as Anonymous user:
- Before: checkPermission() returns 1 with ImplPython and 0 with ImplC.
- After: checkPermission() returns 1 with both ImplPython and ImplC.