PluggableAuthService._authorizeUser() silently eats Unauthorized exceptions

Bug #1023561 reported by kleist
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Invalid
Undecided
Unassigned
Zope PAS
Undecided
Unassigned

Bug Description

[copied from http://dev.plone.org/ticket/12273]

I don't know when this has happened, but PluggableAuthService._authorizeUser() silently eats Unauthorized exceptions, making debugging some of permission problem cases impossible.

Particularly it looks like at least when resolving List Folder Contents for folder_contents view, the exception gets eaten.

Later this is translated to very unhelpful error message by ZPublisher

I am not sure how this exception should be handled, as it seems that _authorizeUser() might be called many times by the same request. I recommend if the verbose security is on, we log all the errors to logging output as INFO level, at least get some hint what's going on.

Plone 4.1 and some customizations in place - I did not try this in vanilla Plone yet, as I am still debugging what's causing the permission problem in the first place.

{{{
Traceback (innermost last):
  Module ZPublisher.Publish, line 115, in publish
  Module ZPublisher.BaseRequest, line 625, in traverse
  Module ZPublisher.HTTPResponse, line 756, in unauthorized
Unauthorized: <strong>You are not authorized to access this resource.</strong><p>
No Authorization header found.</p>
}}}

Below is a stop gap fix, also showing the code in the question, where the hair pulling happens

{{{
  security.declarePrivate( '_authorizeUser' )
    def _authorizeUser( self
                      , user
                      , accessed
                      , container
                      , name
                      , value
                      , roles=_noroles
                      ):

        """ -> boolean (whether user has roles).

        o Add the user to the SM's stack, if successful.

        o Return
        """
        user = aq_base( user ).__of__( self )
        newSecurityManager( None, user )
        security = getSecurityManager()
        print "Validating security"
        try:
            try:
                if roles is _noroles:
                    if security.validate( accessed
                                        , container
                                        , name
                                        , value
                                        ):
                        return 1
                else:
                    if security.validate( accessed
                                        , container
                                        , name
                                        , value
                                        , roles
                                        ):
                        return 1
            except Exception, e:
                import traceback ; traceback.print_exc()
                noSecurityManager()
                raise

        except Unauthorized, e:
            import traceback ; traceback.print_exc()
            pass

        return 0
}}}

Revision history for this message
Hanno Schlichting (hannosch) wrote :

The report is for PAS - not Zope2.

Changed in zope2:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers