Storing method instance of user written class in list confuses Zope access control system.

Bug #580912 reported by Tony Middleton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Invalid
Low
Unassigned

Bug Description

After moving from Zope 2.10 to 2.12 some existing Python code which accesses self written packages failed. I have created a small test module to show the problem.

Here is Products/testp/testm.py

class testc:
  def __init__(self,testval):
    self.testval = testval
  def testv(self):
    return self.testval

And here is Products/testp/__init__.py

from AccessControl import allow_module
from AccessControl import allow_class

allow_module("Products.testp")
allow_module("Products.testp.testm")

from Products.testp.testm import testc
allow_class(testc)

The following Script(Python) works as you might expect.

from Products.testp.testm import testc
xx = testc(7)
return xx.testv()

As does the following

from Products.testp.testm import testc
xx = testc(7)
yy = xx.testv
return yy()

But the following fails

from Products.testp.testm import testc
xx = testc(7)
yy = [xx.testv]
zz = yy[0]
return zz()

With error

Error Type: Unauthorized
Error Value: You are not allowed to access 'testv' in this context

I am using Zope 2.12.5 and Python 2.6.5

The same code works fine in Zope 2.10.

Tony Middleton (ximera)
affects: acquisition → zope2
Revision history for this message
Tres Seaver (tseaver) wrote : Re: [zope2-tracker] [Bug 580912] [NEW] Storing method instance of user written class in list confuses Zope access control system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Middleton wrote:
> Public bug reported:
>
> After moving from Zope 2.10 to 2.12 some existing Python code which
> accesses self written packages failed. I have created a small test
> module to show the problem.
>
> Here is Products/testp/testm.py
>
> class testc:
> def __init__(self,testval):
> self.testval = testval
> def testv(self):
> return self.testval

The fact that access to 'testv' worked in any Zope2 version was the bug:
 your class doesn't abide by the Zope2 security policy, which requires
that methods of classes be explicitly protected with a permission, or
else that the class has an '__allow_access_to_unprotected_subobjects__'
which enables access. Your grants allow access to the module and the
class, but not to methods or attributes of the class. See:

 http://docs.zope.org/zope2/zdgbook/Security.html

Please try adding the "magic" attribute at class scope, e.g.::

  class testc:
      __allow_access_to_unprotected_subobjects__ = 1
      ...

or else set up explicit security on your class, and initialize the class::

  from AccessControl.SecurityInfo import ClassSecurityInfo
  from App.class_init import InitializeClass

  class testc:
      security = ClassSecurityInfo()
      ...
      security.declarePublic('testv')
      def testv(self):
          ...

  InitializeClass(testc)

If that fixes the issue, then we can re-categorize this as a misfeature
of Zope 2.10.

  status incomplete

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvu334ACgkQ+gerLs4ltQ6BRQCgq6320sot9WP8z2NDi/5im7py
OekAoIIZE4npLZ8OMQ4MILg8084/cPI6
=bVy6
-----END PGP SIGNATURE-----

Revision history for this message
Tony Middleton (ximera) wrote :

I'm afraid neither of the suggestions above made any difference and I'm also slightly confused about the reply.

Firstly, I understand the above to say that I have not correctly given access to the method and the fact that it worked in 2.10 was a fault that has now been fixed. However, that would imply that none of my three cases would work whereas the only failure on 2.12 is when I store the instance in a list.

Also, I had read the page referred to and although the description of allow_class is minimal my understanding was that it is a shorthand that gives full access as it says "the utility function “allow_class” and “allow_module” have been created to help you declare the entire contents of a class or module as public".

Revision history for this message
Tony Middleton (ximera) wrote :

Interestingly, the third sample works if I use a tuple instead of a list but not a dictionary.

Tony Middleton (ximera)
Changed in zope2:
status: Incomplete → New
Changed in zope2:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.

Changed in zope2:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.