[zope2-tracker] [Bug 511294] [NEW] UnauthorizedBinding Context is not being handled at all by MultiAdapters

[Tres Seaver]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick Gerken wrote:
> Public bug reported:
> 
> In svn commit 24375,
> 
> http://svn.zope.org/Zope/trunk/lib/python/Shared/DC/Scripts/Bindings.py?rev=24375&r1=24352&r2=24375
> 
> happens a workaround for better Security handling.
> 
> Instead of throwing an Unauthorized Exception, it returns a Context that
> will most probably throw an Unauthorized Exception later, while trying
> to access a member.
> 
> But Nowadays, we can try to get a view with MultiAdapters, and these
> throw an KeyError, that is then not handled as a Unauthorized Exception.
> I wonder, if this workaround for Workflows can be removed. I mean its, 6
> years now.

This isn't a workaround:  it is there so that no matter what, a script
can't be used to access something the user doesn't have permissions for.

> The issue materializes itself in Plone, the bug report there is this one:
> http://dev.plone.org/plone/ticket/9394

To put a prettier user experience on the case in that Plone bug, try
registering a traversal adapter for the UnauthorizedBinding which
unconditionally raises Unauthorized.  If that works out, we could look
at doing such a registration inside Zope.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktZ7+8ACgkQ+gerLs4ltQ6vGACg2UT2cwqAlUioeHzFflNNVmcb
++8An2MQtX3T+TS9r6kIOrINJ3/5dckX
=sYN2
-----END PGP SIGNATURE-----

-- 
UnauthorizedBinding Context is not being handled at all by MultiAdapters
https://bugs.launchpad.net/bugs/511294
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.