Storing method instance of user written class in list confuses Zope access control system.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Low
|
Unassigned |
Bug Description
After moving from Zope 2.10 to 2.12 some existing Python code which accesses self written packages failed. I have created a small test module to show the problem.
Here is Products/
class testc:
def __init_
self.testval = testval
def testv(self):
return self.testval
And here is Products/
from AccessControl import allow_module
from AccessControl import allow_class
allow_module(
allow_module(
from Products.
allow_class(testc)
The following Script(Python) works as you might expect.
from Products.
xx = testc(7)
return xx.testv()
As does the following
from Products.
xx = testc(7)
yy = xx.testv
return yy()
But the following fails
from Products.
xx = testc(7)
yy = [xx.testv]
zz = yy[0]
return zz()
With error
Error Type: Unauthorized
Error Value: You are not allowed to access 'testv' in this context
I am using Zope 2.12.5 and Python 2.6.5
The same code works fine in Zope 2.10.
affects: | acquisition → zope2 |
Changed in zope2: | |
status: | Incomplete → New |
Changed in zope2: | |
importance: | Undecided → Low |
status: | New → Confirmed |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tony Middleton wrote: testp/testm. py _(self, testval) :
> Public bug reported:
>
> After moving from Zope 2.10 to 2.12 some existing Python code which
> accesses self written packages failed. I have created a small test
> module to show the problem.
>
> Here is Products/
>
> class testc:
> def __init_
> self.testval = testval
> def testv(self):
> return self.testval
The fact that access to 'testv' worked in any Zope2 version was the bug: access_ to_unprotected_ subobjects_ _'
your class doesn't abide by the Zope2 security policy, which requires
that methods of classes be explicitly protected with a permission, or
else that the class has an '__allow_
which enables access. Your grants allow access to the module and the
class, but not to methods or attributes of the class. See:
http:// docs.zope. org/zope2/ zdgbook/ Security. html
Please try adding the "magic" attribute at class scope, e.g.::
class testc: _allow_ access_ to_unprotected_ subobjects_ _ = 1
_
...
or else set up explicit security on your class, and initialize the class::
from AccessControl. SecurityInfo import ClassSecurityInfo
from App.class_init import InitializeClass
class testc: declarePublic( 'testv' )
security = ClassSecurityInfo()
...
security.
def testv(self):
...
InitializeCla ss(testc)
If that fixes the issue, then we can re-categorize this as a misfeature
of Zope 2.10.
status incomplete
Tres. ======= ======= ======= ======= ======= ======= ======= ======= ==== palladion. com enigmail. mozdev. org
- --
=======
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAkv u334ACgkQ+ gerLs4ltQ6BRQCg q6320sot9WP8z2N Di/5im7py OMQ4MILg8084/ cPI6
OekAoIIZE4npLZ8
=bVy6
-----END PGP SIGNATURE-----