[z3-five] ZCML security declarations and properties

Tue Apr 17 16:37:29 CEST 2007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Aspeli wrote:
> Tres Seaver wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Martin Aspeli wrote:
>>> Hi guys,
>>>
>>> I have an interface that defines various properties:
>>>
>>> class IFoo(Interface):
>>>
>>>     bar = schema.TextLine(...)
>>>
>>> class Foo(SimpleItem):
>>>     implements(IBar)
>>>
>>>     bar = property(...)
>>>
>>> I then have this in ZCML:
>>>
>>>     <class class=".foo.Foo"
>>>          <require
>>>              permission="zope2.View"
>>>              interface=".interfaces.IFoo
>>>              />
>>>          <require
>>>              permission="cmf.ModifyPortalContent"
>>>              set_schema=".interfaces.Foo
>>>              />
>>>      </class>
>>>
>>> However, if I try to do
>>>
>>>      <span tal:content="context/getPhone">Phone number</span>
>>>
>>> in a page ViewPageTemplateFile in a Z3 view (i.e. trusted code), I get:
>>>
>>>      Unauthorized: You are not allowed to access 'bar' in this context
>>>
>>> This is with verbose-security on, but not much help there...
>>>
>>> What am I missing here? Why is this happening even in trusted code?
>> 'getPhone' is not declared as being part of the interface to which you
>> grant permission in the ZCML; 
> 
> Sorry, I'm being a muppet. The code I pasted was the workaround (I used 
> a method). This is the code that gives the error:
> 
> <span tal:content="context/bar">Bar</span>
> 
> (I've simplified my code down to Foo and bar, obviously, it had to do 
> with a phone number to start with). 'bar' here is in the interface.
> 
> I *think* the key point here is that 'bar' is a Python property, not a 
> method, but I'm not sure.

Can you examine your class in the debugger, and look at its __dict__?
The interesting keys are going to be '__ac_permissions__' and
'bar__roles__' (if that one exists).

>> your other error is assuming that a ZPT
>> is trusted code.  You need to grant permissions for *all* attributes /
>> methods you access through ZPT, *except* those bound into the top-level
>> namespace (like 'options', 'request' etc.)
> 
> I'm talking about a ZPT bound to a Z3 view with 
> Products.Five.browser.pagetemplatefile.ViewPageTemplateFile. In my 
> understanding, these are trusted code, at least I'm able to do all kinds 
> of otherwise "insecure" things inside them, but not access this bit of 
> my context content object.

You are correct that the VPTF is trusted code -- my bad.

Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGJNup+gerLs4ltQ4RAoeMAJwKdnv7WSLLGfHNzWDrgQDv/kx9zwCfd0Ib
RBX7SCoAvmA/9z5hgnRxVls=
=cVe4
-----END PGP SIGNATURE-----