New SecurityManager in AccessControl.RoleManager.manage_getUserRolesAndPermissions breaking permissions check
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Hello,
There is a newSecurityManager in manage_
https:/
However, the original security manager is not reset at the end of the method. This means that the security context is changed for the rest of the transaction. The problem is that the new security context is not good. For example for a plone site as such:
plone-site
plone-site/object-1
plone-site/object-2
If a call this method while in plone-site/
And the parent of this PAS will be /plone-
"Your user account is defined outside the context of the object being accessed."
For info, the check failing is aq_inContextOf.
Is the newSecurityManager really necessary ? And if it is, shouldn't the original security manager be saved and reset at the end of the method (i.e.: sm = getSecurityMana
Thanks
Also reported on github: https:/ /github. com/zopefoundat ion/AccessContr ol/issues/ 4