Ticket #12273 (confirmed Bug)
Verbose security is no longer verbose in 4.1
Reported by: | miohtama | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | 4.x |
Component: | Backend (Python) | Version: | 4.1 |
Keywords: | patch, PAS | Cc: | kagesenshi |
Description
I don't know when this has happened, but PluggableAuthService._authorizeUser() silently eats Unauthorized exceptions, making debugging some of permission problem cases impossible.
Particularly it looks like at least when resolving List Folder Contents for folder_contents view, the exception gets eaten.
Later this is translated to very unhelpful error message by ZPublisher
I am not sure how this exception should be handled, as it seems that _authorizeUser() might be called many times by the same request. I recommend if the verbose security is on, we log all the errors to logging output as INFO level, at least get some hint what's going on.
Plone 4.1 and some customizations in place - I did not try this in vanilla Plone yet, as I am still debugging what's causing the permission problem in the first place.
Traceback (innermost last): Module ZPublisher.Publish, line 115, in publish Module ZPublisher.BaseRequest, line 625, in traverse Module ZPublisher.HTTPResponse, line 756, in unauthorized Unauthorized: <strong>You are not authorized to access this resource.</strong><p> No Authorization header found.</p>
Below is a stop gap fix, also showing the code in the question, where the hair pulling happens
security.declarePrivate( '_authorizeUser' ) def _authorizeUser( self , user , accessed , container , name , value , roles=_noroles ): """ -> boolean (whether user has roles). o Add the user to the SM's stack, if successful. o Return """ user = aq_base( user ).__of__( self ) newSecurityManager( None, user ) security = getSecurityManager() print "Validating security" try: try: if roles is _noroles: if security.validate( accessed , container , name , value ): return 1 else: if security.validate( accessed , container , name , value , roles ): return 1 except Exception, e: import traceback ; traceback.print_exc() noSecurityManager() raise except Unauthorized, e: import traceback ; traceback.print_exc() pass return 0
Attachments
Change History
comment:2 Changed 4 years ago by neaj
- Version set to 4.1
It looks like this is biting me now. I see a slightly different useless traceback:
2012-03-10 09:31:13 ERROR Zope.SiteErrorLog 1331368273.340.531887525979 http://localhost:39109/.../feed-item.html Traceback (innermost last): Module ZPublisher.Publish, line 116, in publish Module ZPublisher.BaseRequest, line 607, in traverse Module ZPublisher.HTTPResponse, line 721, in unauthorized Unauthorized: <strong>You are not authorized to access this resource.</strong><p> Username and password are not correct.</p>
comment:4 Changed 4 years ago by kleist
- Status changed from new to confirmed
- Keywords patch added
- Component changed from Infrastructure to General
comment:5 Changed 4 years ago by kleist
- Keywords patch, upstream added; patch removed
This needs to be passed upstream to the Zope guys:
comment:6 Changed 4 years ago by kleist
- Status changed from confirmed to closed
- Resolution set to wontfix