Re: [Zope-dev] Verbose security for Zope 2.8 or 2.9
Brian Lloyd wrote: > +1 from me ;) It's in. (However, the zope-checkins list didn't seem to notice.) Shane >>-Original Message- >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >>Behalf Of Shane Hathaway >>Sent: Tuesday, June 14, 2005 11:17 AM >>To: Andreas Jung >>Cc: zope-dev@zope.org >>Subject: Re: [Zope-dev] Verbose security for Zope 2.8 or 2.9 >> >> >>Andreas Jung wrote: >> >>>--On 14. Juni 2005 09:52:33 -0600 Shane Hathaway <[EMAIL PROTECTED]> >>>wrote: >>> This patch supercedes the VerboseSecurity product, so I don't plan to update the VerboseSecurity product for Zope 2.8. Should the patch be included in Zope 2.8.1? >>> >>>From me: +2 >> >>There is clearly support for this, so unless Jim or Brian objects, I'll >>work on checking in the patch to Zope-2_8-branch and the trunk right away. >> >>Shane >>___ >>Zope-Dev maillist - Zope-Dev@zope.org >>http://mail.zope.org/mailman/listinfo/zope-dev >>** No cross posts or HTML encoding! ** >>(Related lists - >> http://mail.zope.org/mailman/listinfo/zope-announce >> http://mail.zope.org/mailman/listinfo/zope ) >> > > ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Verbose security for Zope 2.8 or 2.9
--On 14. Juni 2005 13:12:14 -0400 Brian Lloyd <[EMAIL PROTECTED]> wrote: +1 from me ;) Enough pro-votes to overrule Jim :-) I suggest to merge the stuff :-) -aj pgpfsD0fdOIrF.pgp Description: PGP signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Verbose security for Zope 2.8 or 2.9
+1 from me ;) Brian Lloyd[EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Shane Hathaway > Sent: Tuesday, June 14, 2005 11:17 AM > To: Andreas Jung > Cc: zope-dev@zope.org > Subject: Re: [Zope-dev] Verbose security for Zope 2.8 or 2.9 > > > Andreas Jung wrote: > > --On 14. Juni 2005 09:52:33 -0600 Shane Hathaway <[EMAIL PROTECTED]> > > wrote: > >> This patch supercedes the VerboseSecurity product, so I don't plan to > >> update the VerboseSecurity product for Zope 2.8. Should the patch be > >> included in Zope 2.8.1? > > > > From me: +2 > > There is clearly support for this, so unless Jim or Brian objects, I'll > work on checking in the patch to Zope-2_8-branch and the trunk right away. > > Shane > ___ > Zope-Dev maillist - Zope-Dev@zope.org > http://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Verbose security for Zope 2.8 or 2.9
Andreas Jung wrote: > --On 14. Juni 2005 09:52:33 -0600 Shane Hathaway <[EMAIL PROTECTED]> > wrote: >> This patch supercedes the VerboseSecurity product, so I don't plan to >> update the VerboseSecurity product for Zope 2.8. Should the patch be >> included in Zope 2.8.1? > > From me: +2 There is clearly support for this, so unless Jim or Brian objects, I'll work on checking in the patch to Zope-2_8-branch and the trunk right away. Shane ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Verbose security for Zope 2.8 or 2.9
On Tue, Jun 14, 2005 at 09:52:33AM -0600, Shane Hathaway wrote: > Should the patch be included in Zope 2.8.1? ooo, yes please! -PW -- Paul Winkler http://www.slinkp.com ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Verbose security for Zope 2.8 or 2.9
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shane Hathaway wrote: > I've written a patch against the Zope trunk that integrates the > functionality of the VerboseSecurity product into the Zope core. I've > attached the patch, which is based on Subversion revision 30788. All > Zope tests pass with the patch, whether verbose security is enabled or > not. A couple of improvements over the VerboseSecurity product are also > in the patch; in particular, object paths and failed permission names > are displayed more often. > > To enable verbose security, apply the patch, recompile and reinstall > using "make", then add the following lines to etc/zope.conf: > > security-policy-implementation python > verbose-security on > > Let me know whether it works for you (reply to the zope-dev list as well.) > > This patch supercedes the VerboseSecurity product, so I don't plan to > update the VerboseSecurity product for Zope 2.8. Should the patch be > included in Zope 2.8.1? +1. Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCrv4a+gerLs4ltQ4RAqA0AKCu+gPlPUgq7x16Vf35XRkj15C0QgCglo4d bGOQrZEV60Fy17ZuUIvHBEs= =+izA -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Verbose security for Zope 2.8 or 2.9
--On 14. Juni 2005 09:52:33 -0600 Shane Hathaway <[EMAIL PROTECTED]> wrote: I've written a patch against the Zope trunk that integrates the functionality of the VerboseSecurity product into the Zope core. I've attached the patch, which is based on Subversion revision 30788. All Zope tests pass with the patch, whether verbose security is enabled or not. A couple of improvements over the VerboseSecurity product are also in the patch; in particular, object paths and failed permission names are displayed more often. To enable verbose security, apply the patch, recompile and reinstall using "make", then add the following lines to etc/zope.conf: security-policy-implementation python verbose-security on Let me know whether it works for you (reply to the zope-dev list as well.) This patch supercedes the VerboseSecurity product, so I don't plan to update the VerboseSecurity product for Zope 2.8. Should the patch be included in Zope 2.8.1? From me: +2 -aj pgpIEYyVHIyqe.pgp Description: PGP signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Verbose security for Zope 2.8 or 2.9
I've written a patch against the Zope trunk that integrates the
functionality of the VerboseSecurity product into the Zope core. I've
attached the patch, which is based on Subversion revision 30788. All
Zope tests pass with the patch, whether verbose security is enabled or
not. A couple of improvements over the VerboseSecurity product are also
in the patch; in particular, object paths and failed permission names
are displayed more often.
To enable verbose security, apply the patch, recompile and reinstall
using "make", then add the following lines to etc/zope.conf:
security-policy-implementation python
verbose-security on
Let me know whether it works for you (reply to the zope-dev list as well.)
This patch supercedes the VerboseSecurity product, so I don't plan to
update the VerboseSecurity product for Zope 2.8. Should the patch be
included in Zope 2.8.1?
Shane
Index: lib/python/Zope2/Startup/__init__.py
===
--- lib/python/Zope2/Startup/__init__.py(revision 30788)
+++ lib/python/Zope2/Startup/__init__.py(working copy)
@@ -151,7 +151,8 @@
self.cfg.security_policy_implementation)
AccessControl.setDefaultBehaviors(
not self.cfg.skip_ownership_checking,
-not self.cfg.skip_authentication_checking)
+not self.cfg.skip_authentication_checking,
+self.cfg.verbose_security)
def setupLocale(self):
# set a locale if one has been specified in the config
Index: lib/python/Zope2/Startup/zopeschema.xml
===
--- lib/python/Zope2/Startup/zopeschema.xml (revision 30788)
+++ lib/python/Zope2/Startup/zopeschema.xml (working copy)
@@ -621,6 +621,18 @@
off
+
+
+ Set this directive to 'on' to enable verbose security exceptions.
+ This can help you track down the reason for Unauthorized exceptions,
+ but it is not suitable for public sites because it may reveal
+ unnecessary information about the structure of your site. Only
+ works if security-policy-implementation is set to 'PYTHON'.
+
+ off
+
+
Index: lib/python/AccessControl/cAccessControl.c
===
--- lib/python/AccessControl/cAccessControl.c (revision 30788)
+++ lib/python/AccessControl/cAccessControl.c (working copy)
@@ -2254,9 +2254,18 @@
module_setDefaultBehaviors(PyObject *ignored, PyObject *args)
{
PyObject *result = NULL;
- int own, auth;
+ int own, auth, verbose;
- if (PyArg_ParseTuple(args, "ii:setDefaultBehaviors", &own, &auth)) {
+ if (PyArg_ParseTuple(args, "iii:setDefaultBehaviors", &own, &auth,
+ &verbose)) {
+if (verbose) {
+ PyErr_SetString(PyExc_NotImplementedError,
+ "This security policy implementation does not implement "
+ "the verbose option. To enable verbose security "
+ "exceptions, add 'security-policy-implementation "
+ "python' to etc/zope.conf.");
+ return NULL;
+}
ownerous = own;
authenticated = authenticated;
result = Py_None;
Index: lib/python/AccessControl/ImplPython.py
===
--- lib/python/AccessControl/ImplPython.py (revision 30788)
+++ lib/python/AccessControl/ImplPython.py (working copy)
@@ -21,7 +21,7 @@
from Acquisition import aq_inner
from Acquisition import aq_acquire
from ExtensionClass import Base
-from zLOG import LOG, PROBLEM
+from zLOG import LOG, BLATHER, PROBLEM
# This is used when a permission maps explicitly to no permission. We
# try and get this from cAccessControl first to make sure that if both
@@ -47,6 +47,13 @@
_default_roles = ('Manager',)
+# If _embed_permission_in_roles is enabled, computed __roles__
+# attributes will often include a special role that encodes the name
+# of the permission from which the roles were derived. This is useful
+# for verbose security exceptions.
+_embed_permission_in_roles = 0
+
+
def rolesForPermissionOn(perm, object, default=_default_roles, n=None):
"""Return the roles that have the given permission on the given object
"""
@@ -57,14 +64,20 @@
if hasattr(object, n):
roles = getattr(object, n)
if roles is None:
+if _embed_permission_in_roles:
+return ('Anonymous', n)
return 'Anonymous',
t = type(roles)
if t is tuple:
# If we get a tuple, then we don't acquire
if r is None:
+if _embed_permission_in_roles:
+return roles + (n,)
return roles
-return r+list(roles)
+if _embed_permission_in_roles:
+return r + list(roles)
