Hi all,
I've instal·led Zope 2.7.3b2 (python 2.3.4, gnu/linux box) to test my products and at the first moment I've found a terrible problem for me. My applications began to raise "Unauthorized: The container has no security assertions" errors everywhere. I've been looking for in google and found this thread:
http://www.mail-archive.com/zope-dev%40zope.org/msg17218.html
Really the problem seems to be exactly the same. A simple example:
I have a persistent object A and a non persistent object B. B has implicit acquisition. From trusted code I return B.__of__(A). Trying to access B.meta_type from untrusted code (a ZPT) raises the error. B has no attribute meta_type, so it should be returned from A using implicit acquisition. A has all necessary security assertions.
All this has been working fine from Zope 2.7.0 to 2.7.2. The problem appears the first time in Zope 2.7.3 beta. As Richard Jones says, the problem seems to be a little change in AccessControl/ImplPython.py:
554,557d553 < # Filter out the objects we can't access. < if hasattr(inst, 'aq_acquire'): < return inst.aq_acquire(name, aq_validate, validate) < # Or just try to get the attribute directly.
and I think also in cAccessControl.c:
2112,2123d2113
< # Filter out the objects we can't access.
< if hasattr(inst, 'aq_acquire'):
< return inst.aq_acquire(name, aq_validate, validate)
< */
< if (aq_isWrapper(inst))
< {
< Py_DECREF(v);
< return aq_Acquire(inst, name, aq_validate, validate, 1, NULL, 0);
< }
<
< /*
< # Or just try to get the attribute directly.
Thanks in advance
Santi Camps http://www.earcon.com
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
