UnauthorizedBinding Context is not being handled at all by MultiAdapters
Bug #511294 reported by
Patrick Gerken
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Low
|
Unassigned |
Bug Description
In svn commit 24375,
http://
happens a workaround for better Security handling.
Instead of throwing an Unauthorized Exception, it returns a Context that will most probably throw an Unauthorized Exception later, while trying to access a member.
But Nowadays, we can try to get a view with MultiAdapters, and these throw an KeyError, that is then not handled as a Unauthorized Exception. I wonder, if this workaround for Workflows can be removed. I mean its, 6 years now.
The issue materializes itself in Plone, the bug report there is this one:
http://
summary: |
- UnauthorizedBinding Context is not being handlet at all by MultiAdapters + UnauthorizedBinding Context is not being handled at all by MultiAdapters |
Changed in zope2: | |
importance: | Undecided → Low |
status: | New → Confirmed |
To post a comment you must log in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Patrick Gerken wrote: svn.zope. org/Zope/ trunk/lib/ python/ Shared/ DC/Scripts/ Bindings. py?rev= 24375&r1= 24352&r2= 24375
> Public bug reported:
>
> In svn commit 24375,
>
> http://
>
> happens a workaround for better Security handling.
>
> Instead of throwing an Unauthorized Exception, it returns a Context that
> will most probably throw an Unauthorized Exception later, while trying
> to access a member.
>
> But Nowadays, we can try to get a view with MultiAdapters, and these
> throw an KeyError, that is then not handled as a Unauthorized Exception.
> I wonder, if this workaround for Workflows can be removed. I mean its, 6
> years now.
This isn't a workaround: it is there so that no matter what, a script
can't be used to access something the user doesn't have permissions for.
> The issue materializes itself in Plone, the bug report there is this one: dev.plone. org/plone/ ticket/ 9394
> http://
To put a prettier user experience on the case in that Plone bug, try
registering a traversal adapter for the UnauthorizedBinding which
unconditionally raises Unauthorized. If that works out, we could look
at doing such a registration inside Zope.
Tres. ======= ======= ======= ======= ======= ======= ======= ======= ==== palladion. com enigmail. mozdev. org
- --
=======
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAkt Z7+8ACgkQ+ gerLs4ltQ6vGACg 2UT2cwqAlUioeHz FflNNVmcb TS9r6kIOrINJ3/ 5dckX
++8An2MQtX3T+
=sYN2
-----END PGP SIGNATURE-----