[BlueBream] Strange effect with @@view calling

Marius Gedminas marius at gedmin.as
Thu Apr 1 05:55:30 EDT 2010 

(Adding Cc: bluebream at zope.org back)

On Thu, Apr 01, 2010 at 09:57:59AM +0200, Dr. Volker Jaenisch wrote:
> Marius Gedminas schrieb:
> >>I am wondering:
> >>* Why do the similiar URLs that lead to the same view (prooved by pdb)
> >>with the same principal (zope.Manager, prooved by pdb) lead to
> >>different results.
> >
> >Is view.context the same in both cases?
> Yes. It is.
> >Is it security-proxied in both cases?  (Check by looking at
> >type(self.context) in pdb.)
> Case A) :
> -> import pdb; pdb.set_trace()
> (Pdb) type(self.context)
> <class 'inqbus.booking.engine.app.BookingEngine'>

That's weird -- there's no proxy on the context.

> Case B):
> -> import pdb; pdb.set_trace()
> (Pdb) type(self.context)
> <type 'zope.security._proxy._Proxy'>
> (Pdb) self.context
> <inqbus.booking.engine.app.BookingEngine object at 0xa3b19ac>
> 
> OK. This is the problem. But why is there NO security context in Case A?

In an unrelated thread on zope-dev today I learned that
z3c.layer.pagelet version 1.0.1 has a security bug where it unwraps
security proxies from traversed objects.  Are you using that version of
that package by any chance?

> >>* How could it be, that a forbiddenAttribute error is raised if
> >>I work as Zope.Manager that has
> >>a grantAll Permission.
> >
> >ForbiddenAttribute means that *nobody*, not even mangers, can access
> >that attribute.  It's raised whenever you don't have the appropriate
> >
> >  <class class="...Product">
> >    <require permission="..." interface=.../attributes=... />
> >  </class>
> >
> >in your ZCML.
> Ups. I have NO class definitions at all in the ZCML. They may have
> gone lost during refactoring.
> But if there are no class definitions there should be defaults?

The default is to be secure -- raise ForbiddenAttribute on any attribute
access.

> And independend of which class definition I would have choosen the
> security behavior should be the
> same in both cases, right?

Right.

> >>But if this is the case, is this behavior the correct one?
> >
> >If you truly haven't defined the permissions for the Product class in
> >your ZCML, then yes, the exception is supposed to happen.
> But the same exception should ocure in case A?
> It should not be possible to fool the security by choosing an other
> URL pointing to the same view.

Yes, this is a bug.

> I will impose a class definition for the product class and then
> report my findings.

Marius Gedminas
-- 
If you sat a monkey down in front of a keyboard, the first thing typed would be
a unix command.
                -- Bill Lye
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://mail.zope.org/pipermail/bluebream/attachments/20100401/fe23a70a/attachment.bin

More information about the bluebream mailing list