[Zope-dev] 2.7 branch: attribute permission problems

Richard Jones richard at commonground.com.au
Tue Sep 14 21:18:31 EDT 2004

Hash: SHA1

[might dupe - sent the first copy of this from the wrong address, sorry!]

I've just upgraded to use the bleeding-edge 2-7 branch (from 2.7.2, running in
py 2.3.3) and I've started getting permission problems with attributes. The
cause appears to be acquired attributes. With VerboseSecurity installed
(note: behaviour not dependent on VS - I checked), I get told:

 Error Type: Unauthorized
 Error Value: The container has no security assertions. Access to 'secure_url'
   of (CG Conference Proposals proposals at 0x41387b40) denied.

The "secure_url" attribute is defined at a much higher object, where we have a
declaration including:

    security.setDefaultAccess({'secure_url': 1})

On the "proposals" object though, we don't have any delaration for the
"secure_url" attribute. If I add one, or a general
security.setDefaultAccess("allow"), then the error goes away. This doesn't
seem correct to me.

The relevant change in CVS appears to be:

*** ../../../../Zope-2.7.2/lib/python/AccessControl/ImplPython.py 2004-02-10
17:46:02.000000000 +1100
- --- AccessControl/ImplPython.py 2004-09-15 09:59:41.617423171 +1000
*** 551,560 ****
              return v

          validate = SecurityManagement.getSecurityManager().validate
- -         # Filter out the objects we can't access.
- -         if hasattr(inst, 'aq_acquire'):
- -             return inst.aq_acquire(name, aq_validate, validate)
- -         # Or just try to get the attribute directly.
          if validate(inst, inst, name, v):
              return v
      raise Unauthorized, name
- --- 551,556 ----

The change note being "- Removed DWIM'y attempt to filter
acquired-but-not-aceessible results from 'guarded_getattr'." and I'm not sure
what that means :)

Version: GnuPG v1.2.4 (GNU/Linux)


More information about the Zope-Dev mailing list