Re: [Zope-dev] Puzzling change to guarded_getitem in Zope 2.8
Richard Jones wrote at 2005-8-26 10:00 +1000: >I'm migrating our 2.7-developed Product to 2.8. The following change has me >puzzled. In 2.7, AccessControl.ZopeGuards guarded_getitem has the following >code: > ... >def guarded_getitem(object, index): >[ snip handling of slices ] >... >v = object[index] >if Containers(type(object)) and Containers(type(v)): ># Simple type. Short circuit. >return v >if getSecurityManager().validate(object, object, None, v): >return v >raise Unauthorized, 'unauthorized access to element %s' % `i` > >where "index" has become "None". This would appear to imply that we can't >perform access controls on a per-item basis in sequences or mappings, unless >we do so in the actual __getitem__ method I remember a posting from Jim (Fulton) where he pointed out that this (access control for individual items based on their name) is not longer supported. I conclude that the change you see was by purpose (although I do not see *why* Jim removed this possibility). -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Puzzling change to guarded_getitem in Zope 2.8
On Fri, 26 Aug 2005 10:00 am, Richard Jones wrote: > I'm migrating our 2.7-developed Product to 2.8. The following change has me > puzzled. In 2.7, AccessControl.ZopeGuards guarded_getitem has the > following code: OK, Tres made the change, with the relevant bit of the log message being: Iteration over sequences could in some cases fail to check access to an object obtained from the sequence. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. List and dictionary instance methods such as the get method of dictionary objects were not security aware and could return an object without checking access to that object. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. So I presume that the change *intended* to move the onus of validation from the guarded_getitem method to the __getitem__ method of the container? No more trusted access to custom (ie. not builtin) sequence/mapping objects? Richard pgp0vUWOLplhT.pgp Description: PGP signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Puzzling change to guarded_getitem in Zope 2.8
I'm migrating our 2.7-developed Product to 2.8. The following change has me puzzled. In 2.7, AccessControl.ZopeGuards guarded_getitem has the following code: def guarded_getitem(object, index): [ snip handling of slices ] ... v = object[index] if Containers(type(object)) and Containers(type(v)): # Simple type. Short circuit. return v if getSecurityManager().validate(object, object, index, v): return v raise Unauthorized, 'unauthorized access to element %s' % `i` note the use of "index" in the validate call. In 2.8, this appears as: def guarded_getitem(object, index): [ snip handling of slices ] ... v = object[index] if Containers(type(object)) and Containers(type(v)): # Simple type. Short circuit. return v if getSecurityManager().validate(object, object, None, v): return v raise Unauthorized, 'unauthorized access to element %s' % `i` where "index" has become "None". This would appear to imply that we can't perform access controls on a per-item basis in sequences or mappings, unless we do so in the actual __getitem__ method, which implies there's no such thing as trusted code. We have an access policy implementation of: def _checkAccess(self, name, value): if name.startswith('CG'): return 1 if self.isValidAggregateName(name): return 1 return 0 security.setDefaultAccess(_checkAccess) which obviously doesn't work any more, since "name" is never a item name, it's always None. Richard pgpj6UDo2aBsA.pgp Description: PGP signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )