Subtle problem with introduction of new PermissionProxy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 3 |
Won't Fix
|
Medium
|
Unassigned | ||
zope.security |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
This is subtle problem, and a little hard to explain. I've included a sample view + ZCML to illustrate -- see below.
The problem comes up when you have a view that implements IBrowserPublisher and returns itself in browserDefault (see sample below).
The code that looks up browserDefault is in zope\app\
56: if IBrowserPublish
57: # ob is already proxied, so the result of ...
58: return ob.browserDefau
When PermissionProxy is used, 'ob' is a correctly security-proxied PermissionProxy instance. The permissions on 'ob' work as expected.
When 'ob' returns itself in browserDefault, however, it returns a security-proxied version of the base object -- not the permission proxy that owns the __Security_
This problem didn't occur before because 'proxify' either modified the utility's __Security_
This may not actually be a 'bug', but it's *very* subtle behavior -- and hard to track down if you run into it. There are a couple work-arounds in ZCML:
- Declare permissions for the view class
- Use the zope:adapter directive to register the view
================== test.py =======
from zope.interface import Interface, Attribute, implements
from zope.publisher.
from zope.app.
class ISampleView(
foo = Attribute("Sample attr.")
class SampleView(object):
implements(
def __init__(self, context, request):
self.foo = 'Foo'
def browserDefault(
return self, ()
def publishTraverse
raise TraversalError(
def __call__(self):
return self.foo
================ test-configure.zcml =================
<configure xmlns="http://
<view
name="test"
type=
for="*"
provides=
factory=
permission=
allowed_
</configure>
Changed in zope.security: | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in zope3: | |
status: | Confirmed → Won't Fix |
Changes: submitter email, importance (medium => critical)