[z3-five] Templates in views and path expressions

Martin Aspeli optilude at gmx.net
Mon May 7 17:26:26 CEST 2007 

Martin Aspeli wrote:
> Tres Seaver wrote:
> 
>> Does the patch fix your problem?  I refactored the tests for the
>> Expressions module last night to allow up to write tests for the
>> security semantics of both the trusted and the regular engines, but
>> don't want to go further unless the patch fixes you issue.
> 
> It seems to work, yes! Thank you!
> 
> I've tried as a Manager user, and as a user with a local role which has 
> View permission in the context.
> 
> So, I think that fixes the ViewPageTemplateFiles-are-not-real-trusted 
> problem.

... and doesn't break security on untrusted code, either, from what I 
can see.

What scope to we have for getting this fix in, in what time frame? I'm 
hoping we'll be able to have this in a version which Plone 3.0 can 
depend on. ;)

> I still have a problem with security not being applied properly to 
> attributes, though. I just tried to put an untrusted page template in a 
> skin layer (actually, a temporarily mutilated document_view from Plone), 
> and do

I've just tried a few more things, all from untrusted code:

  - Set self.title as an instance variable in the construct, not in the 
class --> still gets Unauthorized

  - Add a method get_title() to the class, with a docstring, returning 
self.title --> accessible

  - Add get_title() to the interface which is used in the <require /> 
statement --> accessible, but strange that it was *before* I added an 
explicit declaration for it

  - Add a new class variable foo = "foo", with no further security 
declarations --> accessible (!)

  - Add a new instance variable self.bar = "bar", with no further 
security delcarations --> accessible (!)

So it seems to me that in general, any attribute which is part of an 
interface protected in a <require /> block, is inaccessible, whilst any 
method protected by an interface with <require /> is handled correctly, 
and any attribute or method not in an interface (i.e. not given explicit 
security declarations) is also accessible.

Martin

> <b tal:content="context/title" />
> 
> on the object. That still gives me the same Unauthorized error as 
> before, even though I thought I'd protected it.
> 
> For reference, here's the ZCML:
> 
>      <class class=".content.Project">
>          <require
>              permission="zope2.View"
>              interface=".interfaces.IProject"
>              />
>          <require
>              permission="cmf.ModifyPortalContent"
>              set_schema=".interfaces.IProject"
>              />
>      </class>
> 
> and the interface:
> 
> class IProject(Interface):
>      """A project workspace, where special local roles may apply
>      """
> 
>      title = schema.TextLine(title=_(u"Title"),
>                              description=_(u"Name of the project"),
>                              required=True)
> 
>      ...
> 
> and the class:
> 
> class Project(Container):
>      implements(IProject, ITTWLockable, INameFromTitle)
>      portal_type = "b-org Project"
> 
>      title = u""
> 
>      ...
> 
> and the error:
> 
> Traceback (innermost last):
>    Module ZPublisher.Publish, line 119, in publish
>    Module ZPublisher.mapply, line 88, in mapply
>    Module Products.PDBDebugMode.pdbzope.runcall, line 60, in pdb_runcall
>    Module ZPublisher.Publish, line 42, in call_object
>    Module Shared.DC.Scripts.Bindings, line 313, in __call__
>    Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
>    Module Products.CMFCore.FSPageTemplate, line 220, in _exec
>    Module Products.CMFCore.FSPageTemplate, line 159, in pt_render
>    Module Products.PageTemplates.PageTemplate, line 89, in pt_render
>    Module zope.pagetemplate.pagetemplate, line 117, in pt_render
>    Module zope.tal.talinterpreter, line 271, in __call__
>    Module zope.tal.talinterpreter, line 346, in interpret
>    ...
>    Module Products.PageTemplates.Expressions, line 224, in evaluateText
>    Module zope.tales.tales, line 696, in evaluate
>     - URL: 
> file:/Users/optilude/Development/Plone/Code/Build/ploneout/trunk/products/CMFPlone/skins/plone_content/document_view.pt
>     - Line 12, Column 4
>     - Expression: <PathExpr standard:u'context/managers'>
>     - Names:
>        {'container': <PloneSite at /test>,
>         'context': <Project at /test/my-workspace>,
>         'default': <object object at 0x53528>,
>         'here': <Project at /test/my-workspace>,
>         'loop': {},
>         'nothing': None,
>         'options': {'args': ()},
>         'repeat': <Products.PageTemplates.Expressions.SafeMapping object 
> at 0x8253558>,
>         'request': <HTTPRequest, 
> URL=http://localhost:8080/test/my-workspace/document_view>,
>         'root': <Application at >,
>         'template': <FSPageTemplate at /test/document_view used for 
> /test/my-workspace>,
>         'traverse_subpath': [],
>         'user': <PropertiedUser 'admin'>}
>    Module zope.tales.expressions, line 217, in __call__
>    Module Products.PageTemplates.Expressions, line 153, in _eval
>    Module zope.tales.expressions, line 124, in _eval
>    Module Products.PageTemplates.Expressions, line 80, in 
> boboAwareZopeTraverse
>    Module OFS.Traversable, line 301, in restrictedTraverse
>    Module OFS.Traversable, line 236, in unrestrictedTraverse
>     - __traceback_info__: ([], 'managers')
>    Module AccessControl.ImplPython, line 563, in validate
>    Module AccessControl.ImplPython, line 454, in validate
>    Module AccessControl.ImplPython, line 808, in raiseVerbose
> Unauthorized: Your user account is defined outside the context of the 
> object being accessed.  Access to 'managers' of (Project at 
> /test/my-workspace) denied. Your user account, admin, exists at 
> /acl_users. Access requires one of the following roles: ['Contributor', 
> 'Editor', 'Manager', 'Owner', 'Reader'].
> 
> Martin
>

More information about the z3-five mailing list