[Zope-dev] Re: Puzzling change to guarded_getitem in Zope 2.8

[Tres Seaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Richard Jones wrote:

 I'm migrating our 2.7-developed Product to 2.8. The following change has me 
 puzzled. In 2.7,  AccessControl.ZopeGuards guarded_getitem has the following 
 code:
 
 def guarded_getitem(object, index):
 [ snip handling of slices ]
 ...
 v = object[index]
 if Containers(type(object)) and Containers(type(v)):
 # Simple type.  Short circuit.
 return v
 if getSecurityManager().validate(object, object, index, v):
 return v
 raise Unauthorized, 'unauthorized access to element %s' % `i`
 
 note the use of index in the validate call. In 2.8, this appears as:
 
 def guarded_getitem(object, index):
 [ snip handling of slices ]
 ...
 v = object[index]
 if Containers(type(object)) and Containers(type(v)):
 # Simple type.  Short circuit.
 return v
 if getSecurityManager().validate(object, object, None, v):
 return v
 raise Unauthorized, 'unauthorized access to element %s' % `i`
 
 where index has become None. This would appear to imply that we can't 
 perform access controls on a per-item basis in sequences or mappings, unless 
 we do so in the actual __getitem__ method, which implies there's no such 
 thing as trusted code. We have an access policy implementation of:
 
 def _checkAccess(self, name, value):
 if name.startswith('CG'):
 return 1
 if self.isValidAggregateName(name):
 return 1
 return 0
 security.setDefaultAccess(_checkAccess)
 
 which obviously doesn't work any more, since name is never a item name, 
 it's 
 always None.

I found some discussion of this from the January 2004 zope-dev archives:

  http://mail.zope.org/pipermail/zope-dev/2004-January/thread.html#21425

Which led Jim to revert the change on the 2.7 branch.  Jim's resolution
to  collector #1182 (http://www.zope.org/Collectors/Zope/1182) says:

  I have reverted the changes to pass None rather than item keys.

  Note that in the future (Zope 2.9) we will not support
  distinguishing access based on mapping or sequence keys or indexes.

So, it looks as though we should revert whatever that portion of
revision 24358 on the 2.8 branch, while leaving the trunk alone (so that
2.9 becomes the cutover point).

Index: lib/python/AccessControl/ZopeGuards.py
===
- --- lib/python/AccessControl/ZopeGuards.py  (revision 38085)
+++ lib/python/AccessControl/ZopeGuards.py  (working copy)
@@ -68,7 +68,7 @@
 if Containers(type(object)) and Containers(type(v)):
 # Simple type.  Short circuit.
 return v
- -if getSecurityManager().validate(object, object, None, v):
+if getSecurityManager().validate(object, object, index, v):
 return v
 raise Unauthorized, 'unauthorized access to element %s' % `i`

I have committed this change, along with a test, on the 2.8 branch
(revision #38120), but will revert if Jim or Andreas objects.

In the meanwhile, it seems as though Richard's application needs to grow
an access check layer within its '__getitem__' before it will be ready
for Zope 2.9.


Tres.
- --
===
Tres Seaver  +1 202-558-7113  [EMAIL PROTECTED]
Palladion Software   Excellence by Designhttp://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDEI/q+gerLs4ltQ4RAh/wAJ9WScaoSCldL6gOYOOE9AjgVgWvbgCgkPAH
rZ4Gw5ebvMgJQuslbVgw+Uo=
=FgsD
-END PGP SIGNATURE-

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: Puzzling change to guarded_getitem in Zope 2.8

[Tres Seaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Richard Jones wrote:
 On Fri, 26 Aug 2005 10:00 am, Richard Jones wrote:
 
I'm migrating our 2.7-developed Product to 2.8. The following change has me
puzzled. In 2.7,  AccessControl.ZopeGuards guarded_getitem has the
following code:
 
 
 OK, Tres made the change, with the relevant bit of the log message being:
 
 Iteration over sequences could in some cases fail to check access
 to an object obtained from the sequence. Subsequent checks (such
 as for attributes access) of such an object would still be
 performed, but it should not have been possible to obtain the
 object in the first place.
 
 List and dictionary instance methods such as the get method of
 dictionary objects were not security aware and could return an
 object without checking access to that object. Subsequent checks
 (such as for attributes access) of such an object would still be
 performed, but it should not have been possible to obtain the
 object in the first place.
 
 So I presume that the change *intended* to move the onus of validation from 
 the guarded_getitem method to the __getitem__ method of the container? No 
 more trusted access to custom (ie. not builtin) sequence/mapping objects?

Disclaimer:  while I committed those changes, they were the result of a
month-long audit by most of ZC's staff in December 2003;  my memory of
the rationale for each change is thus extra suspect.

IIRC, the decision was that the ability to enforce access based on key
(rather than attribute name) was an accidental artifact;  further, that
passing the key as 'name' to validate caused a bunch of other weird side
effects, which all went away if we passed 'None', as originally intended
for checks on __getitme__.


Tres.
- --
===
Tres Seaver  +1 202-558-7113  [EMAIL PROTECTED]
Palladion Software   Excellence by Designhttp://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDyga+gerLs4ltQ4RAroRAJ0QQKNFCpFxQHD7NPYokToMTY2h9ACg00zs
4i3Z1kTEzg29apTS2iPpFfk=
=NrGV
-END PGP SIGNATURE-

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )