[z3-five] ZCML security declarations and properties

Martin Aspeli optilude at gmx.net
Tue Apr 17 23:42:36 CEST 2007 

Martin Aspeli wrote:
> Tres Seaver wrote:
> 
>> Can you examine your class in the debugger, and look at its __dict__?
>> The interesting keys are going to be '__ac_permissions__' and
>> 'bar__roles__' (if that one exists).
> 
> __ac_permissions__ has 'bar' in the list for 'View' (and nothing else). 
> bar__roles__ is:
> 
> ['Anonymous',
>   'Manager',
>   'Reviewer',
>   'Reader',
>   'Editor',
>   'Anonymous',
>   'Manager',
>   'Reviewer',
>   'Reader',
>   'Editor',
>   'Reader',
>   'Manager',
>   'Anonymous']
> 
> Apart from the repetition, that is what I'd expect.
> 
>>>> your other error is assuming that a ZPT
>>>> is trusted code.  You need to grant permissions for *all* attributes /
>>>> methods you access through ZPT, *except* those bound into the top-level
>>>> namespace (like 'options', 'request' etc.)
>>> I'm talking about a ZPT bound to a Z3 view with 
>>> Products.Five.browser.pagetemplatefile.ViewPageTemplateFile. In my 
>>> understanding, these are trusted code, at least I'm able to do all kinds 
>>> of otherwise "insecure" things inside them, but not access this bit of 
>>> my context content object.
>> You are correct that the VPTF is trusted code -- my bad.
> 
> So then why does this matter at all?

Mmm... If I do this, it's okay:

   <div tal:content="python:context.bar />

In fact, the traceback I get when I use "context/bar" explains a bit more:

   Module zope.tales.expressions, line 217, in __call__
   Module Products.PageTemplates.Expressions, line 131, in _eval
   Module zope.tales.expressions, line 124, in _eval
   Module Products.PageTemplates.Expressions, line 80, in 
boboAwareZopeTraverse
   Module OFS.Traversable, line 301, in restrictedTraverse
   Module OFS.Traversable, line 232, in unrestrictedTraverse
    - __traceback_info__: ([], 'phone')
Unauthorized: You are not allowed to access 'bar in this context


So it's using unrestrictedTraverse even in a 
Products.Five.browser.pagetemplatefile.ViewPageTemplateFile.

Is that intentional?

But even so, I thought that with the ZCML security declaration, I should 
be allowed to access 'bar' even from protected code :-(

Martin

More information about the z3-five mailing list