Log message for revision 40436: Ensure that in the presence of proxy roles, if none match, then lose. Use the "wrapped" owner when testing context inside proxy roles. Therfore, move check of user's roles to end, since proxy roles make the user's roles irrelevant. This also simplifies the C version, as well, since we don't need to worry about setting the result back to NULL if we haven't assigned it when an error occurs. Incorporate comments from the C version (so that correspondence is clearer).
Changed: U Zope/branches/tseaver-collector_1774/lib/python/AccessControl/ImplPython.py -=- Modified: Zope/branches/tseaver-collector_1774/lib/python/AccessControl/ImplPython.py =================================================================== --- Zope/branches/tseaver-collector_1774/lib/python/AccessControl/ImplPython.py 2005-11-30 23:20:42 UTC (rev 40435) +++ Zope/branches/tseaver-collector_1774/lib/python/AccessControl/ImplPython.py 2005-11-30 23:35:15 UTC (rev 40436) @@ -465,26 +465,38 @@ roles = rolesForPermissionOn(permission, object) if isinstance(roles, basestring): roles = [roles] - result = context.user.allowed(object, roles) # check executable owner and proxy roles stack = context.stack if stack: eo = stack[-1] + # If the executable had an owner, can it execute? if self._ownerous: owner = eo.getOwner() if (owner is not None) and not owner.allowed(object, roles): + # We don't want someone to acquire if they can't + # get an unacquired! return 0 proxy_roles = getattr(eo, '_proxy_roles', None) if proxy_roles: - if object is not aq_base(object): - if not owner._check_context(object): - return 0 + # Verify that the owner actually can state the proxy role + # in the context of the accessed item; users in subfolders + # should not be able to use proxy roles to access items + # above their subfolder! + owner = eo.getWrappedOwner() + if owner is not None: + if object is not aq_base(object): + if not owner._check_context(object): + # object is higher up than the owner, + # deny access + return 0 for r in proxy_roles: if r in roles: return 1 - return result + return 0 + return context.user.allowed(object, roles) + # AccessControl.SecurityManager # ----------------------------- _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins