[z3-five] Adaptation in untrusted code

Tres Seaver tseaver at palladion.com
Fri Nov 17 20:10:58 CET 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maciej Wisniowski wrote:
>> better, write up a unit test which:
> 
> I've written some tests. They're expected to be put into Five/tests.
> I've checked them on Zope 2.8.8 and with Five 1.2.6.

Are they failing as checked in?

> Few issues:
> Do I need <content class ... directive to set permissions?
> Why is user supposed to be a Manager?
> 
> 
> Tests exhibits following behaviours:
> 1. Adapter called directly from test works
> 2. Adapter called by Script Python:
>   1. When there is no '<content class directive', causes:
>      Unauthorized: The container has no security assertions.  Access to
>      'testmethod' of (Products.Five.tests.contentspaceadapters.
>      CacheablePlus instance at 0x2aaab3dd3b90) denied.
> 
>   2. When there is '<content class directive':
>      Unauthorized: The owner of the executing script does not have the
>      required permission.  Access to 'testmethod' of
>      (Products.Five.tests.contentspaceadapters.CacheablePlus instance at
>       0x2aaab3e03560) denied. Access requires one of the following
>       roles: ['Manager']. The executing script is (PythonScript at
>      /test_folder_1_/tester), owned by test_user_1_, who has the roles
>      ['Authenticated', 'test_role_1_'].

Looks like nobody has given the appropriate permission to 'test_role_1_'
on that object.

>   3. When there is '<content class directive' and user has 'Manager'
>      role:
>      Unauthorized: Your user account is defined outside the context of
>      the object being accessed.  Access to 'testmethod' of
>      (Products.Five.tests.contentspaceadapters.CacheablePlus instance at
>       0x2aaab1db6128) denied. Your user account, test_user_1_, exists at
>       /test_folder_1_/acl_users. Access requires one of the following
>       roles: ['Manager'].

That case says to me that your adapter factory needs to return your
adapter object with an appropriate acquisition context -- otherwise, the
security machinery's 'inContextOf' check will fail.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFXglC+gerLs4ltQ4RAqYhAKCs38CewMp65Kz2SeGDtXun8UCG1wCgtOoe
iS2X+Ak9DTvi+NmRS64RZs0=
=Vbnj
-----END PGP SIGNATURE-----

More information about the z3-five mailing list