[Zope-dev] Re: Puzzling change to guarded_getitem in Zope 2.8

Tres Seaver tseaver at palladion.com
Sat Aug 27 12:08:10 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richard Jones wrote:

> I'm migrating our 2.7-developed Product to 2.8. The following change has me 
> puzzled. In 2.7,  AccessControl.ZopeGuards guarded_getitem has the following 
> code:
> 
> def guarded_getitem(object, index):
>     [ snip handling of slices ]
>     ...
>     v = object[index]
>     if Containers(type(object)) and Containers(type(v)):
>         # Simple type.  Short circuit.
>         return v
>     if getSecurityManager().validate(object, object, index, v):
>         return v
>     raise Unauthorized, 'unauthorized access to element %s' % `i`
> 
> note the use of "index" in the validate call. In 2.8, this appears as:
> 
> def guarded_getitem(object, index):
>     [ snip handling of slices ]
>     ...
>     v = object[index]
>     if Containers(type(object)) and Containers(type(v)):
>         # Simple type.  Short circuit.
>         return v
>     if getSecurityManager().validate(object, object, None, v):
>         return v
>     raise Unauthorized, 'unauthorized access to element %s' % `i`
> 
> where "index" has become "None". This would appear to imply that we can't 
> perform access controls on a per-item basis in sequences or mappings, unless 
> we do so in the actual __getitem__ method, which implies there's no such 
> thing as trusted code. We have an access policy implementation of:
> 
>     def _checkAccess(self, name, value):
>         if name.startswith('CG'):
>             return 1
>         if self.isValidAggregateName(name):
>             return 1
>         return 0
>     security.setDefaultAccess(_checkAccess)
> 
> which obviously doesn't work any more, since "name" is never a item name, it's 
> always None.

I found some discussion of this from the January 2004 zope-dev archives:

  http://mail.zope.org/pipermail/zope-dev/2004-January/thread.html#21425

Which led Jim to revert the change on the 2.7 branch.  Jim's resolution
to  collector #1182 (http://www.zope.org/Collectors/Zope/1182) says:

  I have reverted the changes to pass None rather than item keys.

  Note that in the future (Zope 2.9) we will not support
  distinguishing access based on mapping or sequence keys or indexes.

So, it looks as though we should revert whatever that portion of
revision 24358 on the 2.8 branch, while leaving the trunk alone (so that
2.9 becomes the cutover point).

Index: lib/python/AccessControl/ZopeGuards.py
===================================================================
- --- lib/python/AccessControl/ZopeGuards.py      (revision 38085)
+++ lib/python/AccessControl/ZopeGuards.py      (working copy)
@@ -68,7 +68,7 @@
     if Containers(type(object)) and Containers(type(v)):
         # Simple type.  Short circuit.
         return v
- -    if getSecurityManager().validate(object, object, None, v):
+    if getSecurityManager().validate(object, object, index, v):
         return v
     raise Unauthorized, 'unauthorized access to element %s' % `i`

I have committed this change, along with a test, on the 2.8 branch
(revision #38120), but will revert if Jim or Andreas objects.

In the meanwhile, it seems as though Richard's application needs to grow
an "access check" layer within its '__getitem__' before it will be ready
for Zope 2.9.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDEI/q+gerLs4ltQ4RAh/wAJ9WScaoSCldL6gOYOOE9AjgVgWvbgCgkPAH
rZ4Gw5ebvMgJQuslbVgw+Uo=
=FgsD
-----END PGP SIGNATURE-----



More information about the Zope-Dev mailing list