UnauthorizedBinding Context is not being handled at all by MultiAdapters

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick Gerken wrote:
> Public bug reported:
>
> In svn commit 24375,
>
> http://svn.zope.org/Zope/trunk/lib/python/Shared/DC/Scripts/Bindings.py?rev=24375&r1=24352&r2=24375
>
> happens a workaround for better Security handling.
>
> Instead of throwing an Unauthorized Exception, it returns a Context that
> will most probably throw an Unauthorized Exception later, while trying
> to access a member.
>
> But Nowadays, we can try to get a view with MultiAdapters, and these
> throw an KeyError, that is then not handled as a Unauthorized Exception.
> I wonder, if this workaround for Workflows can be removed. I mean its, 6
> years now.

This isn't a workaround: it is there so that no matter what, a script
can't be used to access something the user doesn't have permissions for.

> The issue materializes itself in Plone, the bug report there is this one:
> http://dev.plone.org/plone/ticket/9394

To put a prettier user experience on the case in that Plone bug, try
registering a traversal adapter for the UnauthorizedBinding which
unconditionally raises Unauthorized. If that works out, we could look
at doing such a registration inside Zope.

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktZ7+8ACgkQ+gerLs4ltQ6vGACg2UT2cwqAlUioeHzFflNNVmcb
++8An2MQtX3T+TS9r6kIOrINJ3/5dckX
=sYN2
-----END PGP SIGNATURE-----

Tres Seaver wrote:

> To put a prettier user experience on the case in that Plone bug, try
> registering a traversal adapter for the UnauthorizedBinding which
> unconditionally raises Unauthorized. If that works out, we could look
> at doing such a registration inside Zope.

I made as Tres Seaver suggested in comment 1.
See: http://paste.pound-python.org/show/4847/

I can confirm, that this solution fix TraversalError when opening atct_edit in Plone 3.3.4

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.