Re: Voodoo with ModuleSecurityInfo, was Re: [Zope] importing encode_base64
Paul Winkler wrote at 2005-6-9 15:42 -0400:
> ...
>> >ModuleSecurityInfo('Products.FooProduct').declarePublic(
>> >'blah', 'foo')
>>
>> This allows something like:
>>
>> from Products.FooProduct import foo
>>
>> But, in fact, you use
>>
>> from Products.FooProduct import Utils
>> ... Utils.foo ...
>>
>> Strange, that it worked at all...
>
>Yeah, I think I just happened to hit on some undocumented
>behavior that *mostly* works.
Maybe, you should file a bug report:
Undocumented security related features might be viewed
as security holes...
Especially, if something unexpectedly becomes possible...
However, I think, this one in not overly critical.
--
Dieter
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: Voodoo with ModuleSecurityInfo, was Re: [Zope] importing encode_base64
On Thu, Jun 09, 2005 at 08:18:30PM +0200, Dieter Maurer wrote:
> Paul Winkler wrote at 2005-6-8 20:48 -0400:
> > ...
> >from Products.FooProduct import Utils
> >return Utils.foo(context)
> >
> >
> >And in Products/FooProduct/__init__.py, I had this:
> >
> >ModuleSecurityInfo('Products.FooProduct').declarePublic(
> >'blah', 'foo')
>
> This allows something like:
>
> from Products.FooProduct import foo
>
> But, in fact, you use
>
> from Products.FooProduct import Utils
> ... Utils.foo ...
>
> Strange, that it worked at all...
Yeah, I think I just happened to hit on some undocumented
behavior that *mostly* works.
The moral of the story, of course, is "don't do that"!
--
Paul Winkler
http://www.slinkp.com
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: Voodoo with ModuleSecurityInfo, was Re: [Zope] importing encode_base64
Paul Winkler wrote at 2005-6-8 20:48 -0400:
> ...
>from Products.FooProduct import Utils
>return Utils.foo(context)
>
>
>And in Products/FooProduct/__init__.py, I had this:
>
>ModuleSecurityInfo('Products.FooProduct').declarePublic(
>'blah', 'foo')
This allows something like:
from Products.FooProduct import foo
But, in fact, you use
from Products.FooProduct import Utils
... Utils.foo ...
Strange, that it worked at all...
--
Dieter
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Voodoo with ModuleSecurityInfo, was Re: [Zope] importing encode_base64
On Mon, Jun 06, 2005 at 05:50:42PM -0400, Paul Winkler wrote:
> On Fri, Jun 03, 2005 at 04:58:57PM -0400, Paul Winkler wrote:
> > Just now I saw something that *may* be related,
> > some imports that were fine on zope 2.7.3 are giving me
> > trouble on 2.7.6, but this is a very preliminary observation
> > and i have not had time to troubleshoot yet. Monday...
>
> False alarm, I get the same problem in 2.7.3 and 2.7.0,
> most likely an error in my own code.
Maybe the following will be interesting, if not helpful,
at some date in the future if somebody else experiences weird problems
with ModuleSecurityInfo().declarePublic()...
More info about the symptom:
While importing (i.e. from a .zexp file) an entire CMF site, I was
getting an Unauthorized error that I was not allowed to access the method
(let's call it 'foo') in the current context.
Now, foo.py is a script in one of my filesystem directory views, and is
used both for a keyword index and metadata in my catalog tool.
And yes, I verified that there is no other object by that name.
foo.py is pretty darn simple:
from Products.FooProduct import Utils
return Utils.foo(context)
And in Products/FooProduct/__init__.py, I had this:
ModuleSecurityInfo('Products.FooProduct').declarePublic(
'blah', 'foo')
The interesting thing is that all this works just fine in the
normal operation of the CMF site. It *only* raises Unauthorized
during an import of a .zexp of the CMF site.
As if that wasn't weird enough, after a very long and tedious round of
troubleshooting today, I discovered that two changes were sufficient to
make the symptom go away:
* Remove an (unused) import from FooProduct/__init__.py.
(The imported object was a class, defined in the same Utils.py as the
foo function. This import was vestigial.)
* Completely remove another product (which does not import any code from
FooProduct, nor vice versa.)
Neither of these changes alone is sufficient - I have to do both.
Once I do that, I can import the .zexp, then I can revert those
code changes and restart zope and all is good.
Neither one of those changes has anything whatsoever to do with foo.py
AFAICT. Sounds bizarre, but this is 100% reproducible.
This is some crazy voodoo. If I can boil it down to a reasonably small
demonstration, I'll file a collector issue.
But I don't think I will bother to, because it finally occurred to me
that if I change the form of the import in the script, it works.
i.e. if I change foo.py to look like this:
from Products.FooProduct.Utils import foo
return foo(context)
... then it works all the time, even during the import,
regardless of the aforementioned voodoo changes.
Weird, huh?
Security sucks.
--
Paul Winkler
http://www.slinkp.com
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] importing encode_base64
On Fri, Jun 03, 2005 at 04:58:57PM -0400, Paul Winkler wrote: > Just now I saw something that *may* be related, > some imports that were fine on zope 2.7.3 are giving me > trouble on 2.7.6, but this is a very preliminary observation > and i have not had time to troubleshoot yet. Monday... False alarm, I get the same problem in 2.7.3 and 2.7.0, most likely an error in my own code. -- Paul Winkler http://www.slinkp.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] importing encode_base64
Am Freitag, den 03.06.2005, 16:58 -0400 schrieb Paul Winkler: ... > > Thats funny. I do the same and it works. > > What zope versions are you guys running? > > Just now I saw something that *may* be related, > some imports that were fine on zope 2.7.3 are giving me > trouble on 2.7.6, but this is a very preliminary observation > and i have not had time to troubleshoot yet. Monday... Where I use it and it works is an early 2.7ish. Yes I know I should update, but if you did some hacks here and there (notably removed the hard coded latin-1 every time you download a ZPT or python script) ... is a greater effort ;) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] importing encode_base64
Am Freitag, den 03.06.2005, 22:52 +0200 schrieb Dieter Maurer:
...
> What you almost surely want is:
>
> ModuleSecurityInfo('email.Encoders').declarePublic('encode_base64')
>
This part is currently not documented in great detail.
Thanks for finding and pointing out.
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] importing encode_base64
Varun Parange wrote at 2005-6-2 10:34 -0700:
>i am having problems importing encode_base64
>
>i have created a product in which i have specified:
>'''
>from AccessControl import allow_module, allow_class, allow_type
>from AccessControl import ModuleSecurityInfo, ClassSecurityInfo
>from email.Encoders import encode_base64
>
>allow_class(encode_base64)
>
>''
>
>however when i try using it:
>
>from Products.EmailTools import
>MIMEText,MIMEBase,MIMEMultipart,Header,encode_base64
>
>i get an error saying:
>
>Error Type: ImportError
>Error Value: cannot import name encode_base64
You use "allow_class" in the wrong way:
"encode_base64" is not a class but a function.
"allow_class" sets security declarations such that the
attributes of instances of this class can be accessed
without restrictions. However, there are no instances
of a function...
What you almost surely want is:
ModuleSecurityInfo('email.Encoders').declarePublic('encode_base64')
> ...
>-
>Discover Yahoo!
> Have fun online with music videos, cool games, IM & more. Check it
> out!hi,
>
Please sent plain text only messages...
--
Dieter
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] importing encode_base64
On Fri, Jun 03, 2005 at 10:50:25PM +0200, Tino Wildenhain wrote: > Am Donnerstag, den 02.06.2005, 10:34 -0700 schrieb Varun Parange: > > however when i try using it: > > > > from Products.EmailTools import > > MIMEText,MIMEBase,MIMEMultipart,Header,encode_base64 > > > > i get an error saying: > > > > Error Type: ImportError > > Error Value: cannot import name encode_base64 > > > > All other modules are imported except this one... > > > Thats funny. I do the same and it works. What zope versions are you guys running? Just now I saw something that *may* be related, some imports that were fine on zope 2.7.3 are giving me trouble on 2.7.6, but this is a very preliminary observation and i have not had time to troubleshoot yet. Monday... -- Paul Winkler http://www.slinkp.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] importing encode_base64
Am Donnerstag, den 02.06.2005, 10:34 -0700 schrieb Varun Parange: > hi, > > i am having problems importing encode_base64 > > i have created a product in which i have specified: > ''' > from AccessControl import allow_module, allow_class, allow_type > from AccessControl import ModuleSecurityInfo, ClassSecurityInfo > from email.Encoders import encode_base64 > > allow_class(encode_base64) > > '' > > however when i try using it: > > from Products.EmailTools import > MIMEText,MIMEBase,MIMEMultipart,Header,encode_base64 > > i get an error saying: > > Error Type: ImportError > Error Value: cannot import name encode_base64 > > All other modules are imported except this one... > Thats funny. I do the same and it works. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] importing encode_base64
Andreas Jung wrote: ..the standard answer: allow_module is not a solution for all and everything. WEll, it SHOULD work as advertised. I've always felt that stuff was flakey, be interesting to see some concrete bug reports... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] importing encode_base64
--On 2. Juni 2005 10:34:20 -0700 Varun Parange <[EMAIL PROTECTED]> wrote: hi, i am having problems importing encode_base64 i have created a product in which i have specified: ''' from AccessControl import allow_module, allow_class, allow_type from AccessControl import ModuleSecurityInfo, ClassSecurityInfo from email.Encoders import encode_base64 allow_class(encode_base64) '' however when i try using it: from Products.EmailTools import MIMEText,MIMEBase,MIMEMultipart,Header,encode_base64 i get an error saying: Error Type: ImportError Error Value: cannot import name encode_base64 ..the standard answer: allow_module is not a solution for all and everything. Use external methods or write Zope Product. -aj pgp9M20TVgvzM.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
