Hi zopers,
I got a security problem today and I finally fix it but I still wanted
to share it with the rest of you to ask for advice and to help others to
avoid my problem.
My problem was that I have a content type whose class was configured
with:
<require
permission="zope.ManageContent"
interface=".interfaces.IMyContent"
/>
And I have a default view for this class that looks like this:
<page
for="mypackage.interfaces.IMyContent"
name="welcome.html"
class=".views.IndexView"
permission="zope.View"
template="index.pt"
title="Index" menu="zmi_views"
/>
As you can see there is a contradiction here: the view is 'public' but the
object is 'private'.
I see it now but it tooked my a while to discover it. Obviously I have a bunch
of content types,
packages and configure.zcml files so it was not so easy.
So the real problem in my opinion is how Zope helps us to discover this kind of
configuration
bugs. All I have was an 'Internal Server Error' (500) and a stack trace like
this:
--- <exception caught here> ---
File "/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/twisted/web2/wsgi.py",
line 139, in run
result = self.application(self.environment, self.startWSGIResponse)
File
"/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/wsgi/__init__.py", line
55, in __call__
request = publish(request, handle_errors=handle_errors)
File
"/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/publisher/publish.py", line
141, in publish
publication.handleException(
File
"/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/zopepublication.py",
line 261, in handleException
self._logErrorWithErrorReportingUtility(object, request, exc_info)
File
"/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/zopepublication.py",
line 215, in _logErrorWithErrorReportingUtility
'error reporting utility')
File
"/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/zopepublication.py",
line 384, in beginErrorHandlingTransaction
self.annotateTransaction(txn, request, ob)
File
"/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/http.py",
line 55, in annotateTransaction
txn = super(BaseHTTPPublication, self).annotateTransaction(
File
"/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/app/publication/zopepublication.py",
line 197, in annotateTransaction
path = locatable.getPath()
File
"/home/lgs/Python-2.4.4/Zope-3.3.1/lib/python/zope/location/traversing.py",
line 147, in getPath
path.append(context.__name__)
zope.security.interfaces.Unauthorized: (<mypackage.mycontent.MyContent object
at 0xa9e3aec>, '__name__', 'zope.ManageContent')
Some questions arises:
- Why didn't it pop up the typical http challengue asking me for credentials
when
it discovered that I was trying to access an object and I didn't have the
appropiate permissions?
- Why do I have to define permissions for a view if I already configured the
same
permissions for the class? The view should always have more restrictive
permissions
that the content type class or is there any use case for the opposite?
- Is the above stack trace clear enough for experienced zope3 developers so they
can quickly spot the problem or is it just me that I couldn't figure it out for
a
long time?
Thanks for your patience
Lorenzo Gil
_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users
