[Zope-CMF] declarative security bug?

Jens Vagelpohl jens@digicool.com
Tue, 24 Jul 2001 15:29:19 -0400


seb,

it's actually not a bug but intended behavior which we might re-think 
since quite a few people stumble over it and its side effects.

basically, if a method is declared "public" then the security machinery is 
circumvented (saving processing) and the user as it appears to the 
security machinery becomes "Anonymous" while this public method is running.

this is not a security bug or risk, it was put in to speed up processing 
for things that can be accessed by everyone, anyway.

if you rely in knowing the logged-in user in your public method you can 
trick the system into doing security the normal way by protecting the 
method with a permission that everyone including Anonymous users normally 
have, like "View".

so instead of

declarePublic( 'mymethod' )

you would say

declareProtected( 'View', 'mymethod' )

jens


On Tuesday, July 24, 2001, at 03:43 , seb bacon wrote:

> Hi,
>
> I think I've found a security bug, but it might be something unique to
> my setup.  However, I'm in a real mad dash this week so I haven't time
> to check it in a vanilla install.
>
> Why does this print "Manager"
>
>     security.declareProtected(AddPortalContent, 'parper')
>     def parper(self):
>         'parp'
>         print self.portal_membership.getAuthenticatedMember()
>
> But this prints "Anonymous User"
>
>     security.declarePublic('parper')
>     def parper(self):
>         'parp'
>         print self.portal_membership.getAuthenticatedMember()
>
> ?
>
> This is in a specialised Folder which subclasses PortalFolder, using
> Zope 2.3.2 and CMF 1.1.
>
> seb
>
> _______________________________________________
> Zope-CMF maillist  -  Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
>
> See http://www.zope.org/Products/PTK/Tracker for bug reports and feature 
> requests