I forgot to add cc: for the list, sorry
Dmitry Vasiliev wrote:
>> Looking at the code, the ZopeConnection object is created by the
ZopeDatabaseAdapter class in zope.app.rdb (inherited by the actual
DatabaseAdapter) with a simple call -
self._v_connection = ZopeConnection(self._connection_factory(), self)
>> and the ZopeConnection class does not have anything, that deals with
security, as far as I can see.
>
>
>
> See zope/app/rdb/configure.zcml for security declarations.
>
I mean - I see in the zcml configuration, that zope.ManageContent
permission is required for ZopeConnection, but I don't see what in the
ZopeConnection object could provide it for the user. So my explanation
is that the security policy simply allows one special kind of user in
all cases, without ever checking permission and actually I found exactly
the code, that does that, by seeing if the user is system_user and just
granting access if yes. I didn't go deep enough to confirm that a user
with zope.Manager granted _from principals.zcml_ is assigned that
property, it's just my guess. However, it seems to me that when the
zope.Manager role is granted by the UI grant tool, the user doesn't get
system_user, permissions are cheked, a proxy is not found for the
ZopeConnection and access is denied in all cases.
I can eventually create a functional test to demonstrate, but it will
take too much effort to browse around for the bits I need (since it is a
really good framework and code, but it is a complete nightmare for the
newcommer to follow the logic trough it).
The problem is easy to reproduce in a few simple steps - assuming clean
installation from the .tgz release, here is what I do:
1. create an instance (of course), zope.Manager granted principal is
crated by the mkzopeinstance script.
2. uncomment the sample zope.Member principal 'frodo' in principals.zcml
and run zope
-- using the browser from now on:
3. login with the zope.Manager principal use the grant tool to grant
zope.Manager role at the top of the site to the 'frodo' principal
4. go to manage site -> site management and add a database adapter,
gadfly will do, dbi is something in the form of dbi://dbname;dir=/tmp,
or any other dir as apropriate
5. login as frodo and go to /++etc++site/tools/yourdbaname
6. select the test page and just click on 'execute'
7. unauthorized
8. if you try (5),(6) with the zope.Manager principal, you will see the
database adapter working as expected (producing an error in this example
actually, but not 'unauthorized' exception)
>
>
> Can you repeat all this experiments on clean Z3 setup (without any
additional components and without your old Data.fs file, check also for
all possibly conflicting modules on the PYTHONPATH)?
>
I just downloaded Zope-3.1.0c2, installed it clean and got the same
behaviour. I am using python 2.4.1 and I will check with 2.3.5 if
needed, but I saw enough Zope3 code already and I don't think this will
change anything.
I don't have much idea what module could be conflicting in the case of
Zope3 and database adapters. The setup is clean, the test machine is
freshly configured and I don't see what could get in the way, but I will
check that more carefully too, if you can not reproduce the error at
your side.
Regards,
Velko Ivanov
P.s.:
I changed the permissions for ZopeConnection, ZopeCursor and ZopeRow in
zope/app/rdb/configure.zcml to zope.Public and it of course works, but
that is again by going around the security policy, as with the
system_user - it is just unconditionally allowing acces if the
permission is zope.Public
_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
