Zope 2

New SecurityManager in AccessControl.RoleManager.manage_getUserRolesAndPermissions breaking permissions check

Bug #1248529 reported by Gagaro on 2013-11-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Zope 2	Invalid	Undecided	Unassigned

Bug Description

Hello,

There is a newSecurityManager in manage_getUserRolesAndPermissions which change the user of the security context:

https://github.com/zopefoundation/AccessControl/blob/master/src/AccessControl/rolemanager.py#L161

However, the original security manager is not reset at the end of the method. This means that the security context is changed for the rest of the transaction. The problem is that the new security context is not good. For example for a plone site as such:

plone-site
plone-site/object-1
plone-site/object-2

If a call this method while in plone-site/object-1, the new security context will be:

And the parent of this PAS will be /plone-site/object-1. So if I try to access plone-site/object-2 (e.g.: using a restrictedTraverse), the access will be denied because my user account is not in the context of object-2. Exact error message is:

"Your user account is defined outside the context of the object being accessed."

For info, the check failing is aq_inContextOf.

Is the newSecurityManager really necessary ? And if it is, shouldn't the original security manager be saved and reset at the end of the method (i.e.: sm = getSecurityManager() [...] setSecurityManager(sm)) ?

Thanks