Hi zopers, I got a security problem today and I finally fix it but I still wanted to share it with the rest of you to ask for advice and to help others to avoid my problem.
My problem was that I have a content type whose class was configured with: <require permission="zope.ManageContent" interface=".interfaces.IMyContent" /> And I have a default view for this class that looks like this: <page for="mypackage.interfaces.IMyContent" name="welcome.html" class=".views.IndexView" permission="zope.View" template="index.pt" title="Index" menu="zmi_views" /> As you can see there is a contradiction here: the view is 'public' but the object is 'private'. I see it now but it tooked my a while to discover it. Obviously I have a bunch of content types, packages and configure.zcml files so it was not so easy. So the real problem in my opinion is how Zope helps us to discover this kind of configuration bugs. All I have was an 'Internal Server Error' (500) and a stack trace like this: --- <exception caught here> --- File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/twisted/web2/wsgi.py", line 139, in run result = self.application(self.environment, self.startWSGIResponse) File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/wsgi/__init__.py", line 55, in __call__ request = publish(request, handle_errors=handle_errors) File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/publisher/publish.py", line 141, in publish publication.handleException( File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/zopepublication.py", line 261, in handleException self._logErrorWithErrorReportingUtility(object, request, exc_info) File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/zopepublication.py", line 215, in _logErrorWithErrorReportingUtility 'error reporting utility') File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/zopepublication.py", line 384, in beginErrorHandlingTransaction self.annotateTransaction(txn, request, ob) File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/http.py", line 55, in annotateTransaction txn = super(BaseHTTPPublication, self).annotateTransaction( File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/zopepublication.py", line 197, in annotateTransaction path = locatable.getPath() File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/location/traversing.py", line 147, in getPath path.append(context.__name__) zope.security.interfaces.Unauthorized: (<mypackage.mycontent.MyContent object at 0xa9e3aec>, '__name__', 'zope.ManageContent') Some questions arises: - Why didn't it pop up the typical http challengue asking me for credentials when it discovered that I was trying to access an object and I didn't have the appropiate permissions? - Why do I have to define permissions for a view if I already configured the same permissions for the class? The view should always have more restrictive permissions that the content type class or is there any use case for the opposite? - Is the above stack trace clear enough for experienced zope3 developers so they can quickly spot the problem or is it just me that I couldn't figure it out for a long time? Thanks for your patience Lorenzo Gil _______________________________________________ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users