You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is subtle problem, and a little hard to explain. I've included a sample view + ZCML to illustrate -- see below.
The problem comes up when you have a view that implements IBrowserPublisher and returns itself in browserDefault (see sample below).
The code that looks up browserDefault is in zope\app\publication\browser.py starting at line 56:
ifIBrowserPublisher.providedBy(ob):
# ob is already proxied, so the result of ...returnob.browserDefault(request)
When PermissionProxy is used, ob is a correctly security-proxied PermissionProxy instance. The permissions on ob work as expected.
When ob returns itself in browserDefault, however, it returns a security-proxied version of the base object -- not the permission proxy that owns the __Security_checker__. Because __Security_checker__ isn't available, the security proxy uses whatever checker is registered for the view type. In the case where zope:view is used to register a view (see sample zcml below), there will be no checker -- and the security proxy returned by browserDefault will be entirely forbidden.
This problem didn't occur before because proxify either modified the utility's __Security_checker__ directly, or created a security proxy outright.
This may not actually be a 'bug', but it's very subtle behavior -- and hard to track down if you run into it. There are a couple work-arounds in ZCML:
Declare permissions for the view class
Use the zope:adapter directive to register the view
In https://bugs.launchpad.net/zope.security/+bug/98190, Garrett Smith reported:
The text was updated successfully, but these errors were encountered: