Unexpected authorization failure during traversal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Medium
|
Unassigned |
Bug Description
CHANGES.txt in Zope 2.7.5 final (2005/03/20), contains the following entry:
* AccessControl/
called for authenticated users.
The corresponding change produces unexpected authorization failure during traversal. Code which ran without error under previous versions of Zope fails under 2.7.5-final.
The behavior can be reproduced as follows:
1. Install Zope-2.7.5-final and bring up an instance
with default settings;
2. Create a folder and subfolder, "/a/b".
3. Create a user folder acl_users at top level,
and create a user User1 in it.
3. Place a method "m1" at top level, which accesses
properties of its context.
4. In the securities tab, make the following two changes:
- Deny the View permission the the Anonymous role;
and
- Explicitly grant all permissions to Authenticated,
including View.
5. Log in as User1.
5. Access the following path: /a/b/m1
6. The result on our installation of 2.7.5-final is
an authentication error:
You are not authorized to access this resource
Username and password are not correct. (Also, an
error occurred while attempting to render the
standard error message.)
This does not seem to be correct behavior. Zope versions prior to 2.7.5-final run this case without error.
The Japanese colleague on whose behalf I am filing this issue (Tokuyasu Kakuta) suggests unwinding the change by replacing lines 185 and 186 in Users.py with " return 1". This restores the previous behavior.
Thank you for the detailed report. Unfortunately, I am unable
to reproduce your error against the head of the 2.7 branch,
which has the same code in User.py as 2.7.5.
Here is some additional detail about my attempts:
- In step 3, you do not specify the kind of access which localhost: 8080/m1/ document_ src)::
the method makes of its context. Here is the text of
the PythonScript I used
(http://
## Script (Python) "m1" traverse_ subpath title_or_ id()
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=
##parameters=
##title=
##
return context.
- In step 4, you don't specify whether you are making the
changes to the "Security" tabl of the root folder or of
either '/a' or '/a/b'. I tried both the root folder,
and also '/a' (where I had to clear the "Acquire" field.
- In step 5, you say "Log in as User1"; I don't know how
you mean to do that (User1 has no roles at all on my system).
- I pasted the following URL into a new browser session:
http:// localhost: 8080/a/ b/m1
got challenged for HTTP basic auth, entered 'User1' and
the corresponding password, and was able to see the title
of the 'b' subfolder without further challenge.