In our applications we use `z3c.pagelet` together with the
`IPageletBrowserLayer` defined by `z3c.layer.pagelet`. The latter registers two traversers, `SimpleComponentTraverser` and `ItemTraverser`, as trusted

I do not completely understand the reason for doing so (as explained in the `trusted` layer's README), but it seems to me that doing so raises a security

(BTW, there seems to be no difference at all between the `IMinimalBrowserLayer` and the `ITrustedBrowserLayer`, all three subpackages in `z3c.layer` register
both traversers as trusted adapters.)

Registering a traverser as a trusted adapter means that the adapted object will
not be security protected.  Normally this will be no problem, since the
traversed object will be explicitely security proxied by the publication
traverser's `traverseName` method (defined by the
`zope.app.publication.publicationtraverse` module). The problem arises if the traversed object is not the object itself, but a view on it--assuming the view is called via the default namespace and not via the 'view' namespace, i.e.
without '@@' prepended.

To see the problem consider what happens if you traverse to a container view
via the default namespace:

* `traverseName` looks up the traverser by querying for the adapter providing
  `IPublishTraverse` and calls it's `publishTraverse` method.

* In the case of a container the traverser will be the `ItemTraverser` (defined by the `zope.app.container.traversal` module) which will return the view registered for the container. Since the traverser is trusted, it's context isn't security proxied. Therefore the container won't be security proxied
  either when adapted by the view.

So after traversing the view itself will be security proxied (by the
`traverseName` method), but access to it's context container will *not* obey any
security restrictions.  In other words, the security declaration for the
container itself will be ignored.

This does not happen of course when traversing via the `view` namespace, since
the `view` traverser is not registered as a trusted adapter by the

I verified the described behaviour by commenting out the security declaration for some container. Doing so I was able to traverse to it via the default
namespace, but not via the 'view' namespace.

Now, in our applications, we not only use pagelets, but also `z3c.form` based forms . When I tried to run our tests without registering the traversers
as trusted adapters, it turned out, that a number of additional security
declarations are necessary to make the tests pass again. E.g., I had to
explicitely allow access to widgets like

  <class class="z3c.form.browser.text.TextWidget">
    <allow interface="z3c.form.interfaces.IWidget" />

and also to add a `widget` attribute to the definition of the `IErrorViewSnippet`.

Since I can't believe that everybody else using `z3c.form` is also using
trusted traversers, I wonder if I am missing something crucial here ...


Markus Kemmerling

Medical University Vienna
Core Unit for Medical Education
P.O. Box 10  A-1097 Vienna
phone: +43-1-40 160-36 863  fax: +43-1-40 160-93 65 00

Zope3-users mailing list

Reply via email to