I forgot to add cc: for the list, sorry

Dmitry Vasiliev wrote:

>> Looking at the code, the ZopeConnection object is created by the ZopeDatabaseAdapter class in zope.app.rdb (inherited by the actual DatabaseAdapter) with a simple call - self._v_connection = ZopeConnection(self._connection_factory(), self) >> and the ZopeConnection class does not have anything, that deals with security, as far as I can see.
> See zope/app/rdb/configure.zcml for security declarations.

I mean - I see in the zcml configuration, that zope.ManageContent permission is required for ZopeConnection, but I don't see what in the ZopeConnection object could provide it for the user. So my explanation is that the security policy simply allows one special kind of user in all cases, without ever checking permission and actually I found exactly the code, that does that, by seeing if the user is system_user and just granting access if yes. I didn't go deep enough to confirm that a user with zope.Manager granted _from principals.zcml_ is assigned that property, it's just my guess. However, it seems to me that when the zope.Manager role is granted by the UI grant tool, the user doesn't get system_user, permissions are cheked, a proxy is not found for the ZopeConnection and access is denied in all cases.

I can eventually create a functional test to demonstrate, but it will take too much effort to browse around for the bits I need (since it is a really good framework and code, but it is a complete nightmare for the newcommer to follow the logic trough it).

The problem is easy to reproduce in a few simple steps - assuming clean installation from the .tgz release, here is what I do:

1. create an instance (of course), zope.Manager granted principal is crated by the mkzopeinstance script. 2. uncomment the sample zope.Member principal 'frodo' in principals.zcml and run zope
-- using the browser from now on:
3. login with the zope.Manager principal use the grant tool to grant zope.Manager role at the top of the site to the 'frodo' principal 4. go to manage site -> site management and add a database adapter, gadfly will do, dbi is something in the form of dbi://dbname;dir=/tmp, or any other dir as apropriate
5. login as frodo and go to /++etc++site/tools/yourdbaname
6. select the test page and just click on 'execute'
7. unauthorized
8. if you try (5),(6) with the zope.Manager principal, you will see the database adapter working as expected (producing an error in this example actually, but not 'unauthorized' exception)

> Can you repeat all this experiments on clean Z3 setup (without any additional components and without your old Data.fs file, check also for all possibly conflicting modules on the PYTHONPATH)?

I just downloaded Zope-3.1.0c2, installed it clean and got the same behaviour. I am using python 2.4.1 and I will check with 2.3.5 if needed, but I saw enough Zope3 code already and I don't think this will change anything.

I don't have much idea what module could be conflicting in the case of Zope3 and database adapters. The setup is clean, the test machine is freshly configured and I don't see what could get in the way, but I will check that more carefully too, if you can not reproduce the error at your side.

Velko Ivanov

I changed the permissions for ZopeConnection, ZopeCursor and ZopeRow in zope/app/rdb/configure.zcml to zope.Public and it of course works, but that is again by going around the security policy, as with the system_user - it is just unconditionally allowing acces if the permission is zope.Public
Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to