Ticket #12273 (confirmed Bug)

Opened 4 years ago

Last modified 4 years ago

Verbose security is no longer verbose in 4.1

Reported by: miohtama Owned by:
Priority: major Milestone: 4.x
Component: Backend (Python) Version: 4.1
Keywords: patch, PAS Cc: kagesenshi

Description

I don't know when this has happened, but PluggableAuthService._authorizeUser() silently eats Unauthorized exceptions, making debugging some of permission problem cases impossible.

Particularly it looks like at least when resolving List Folder Contents for folder_contents view, the exception gets eaten.

Later this is translated to very unhelpful error message by ZPublisher

I am not sure how this exception should be handled, as it seems that _authorizeUser() might be called many times by the same request. I recommend if the verbose security is on, we log all the errors to logging output as INFO level, at least get some hint what's going on.

Plone 4.1 and some customizations in place - I did not try this in vanilla Plone yet, as I am still debugging what's causing the permission problem in the first place.

Traceback (innermost last):
  Module ZPublisher.Publish, line 115, in publish
  Module ZPublisher.BaseRequest, line 625, in traverse
  Module ZPublisher.HTTPResponse, line 756, in unauthorized
Unauthorized: <strong>You are not authorized to access this resource.</strong><p>
No Authorization header found.</p>

Below is a stop gap fix, also showing the code in the question, where the hair pulling happens

  security.declarePrivate( '_authorizeUser' )
    def _authorizeUser( self
                      , user
                      , accessed
                      , container
                      , name
                      , value
                      , roles=_noroles
                      ):

        """ -> boolean (whether user has roles).

        o Add the user to the SM's stack, if successful.

        o Return
        """
        user = aq_base( user ).__of__( self )
        newSecurityManager( None, user )
        security = getSecurityManager()
        print "Validating security"
        try:
            try:
                if roles is _noroles:
                    if security.validate( accessed
                                        , container
                                        , name
                                        , value
                                        ):
                        return 1
                else:
                    if security.validate( accessed
                                        , container
                                        , name
                                        , value
                                        , roles
                                        ):
                        return 1
            except Exception, e:
                import traceback ; traceback.print_exc()
                noSecurityManager()
                raise

        except Unauthorized, e:
            import traceback ; traceback.print_exc()
            pass

        return 0

Attachments

plone-ticket-12273.patch Download (1.1 KB) - added by neaj 4 years ago.
Mikko's fix

Change History

comment:1 Changed 4 years ago by kleist

  • Component changed from Unknown to Infrastructure

comment:2 Changed 4 years ago by neaj

  • Version set to 4.1

It looks like this is biting me now. I see a slightly different useless traceback:

2012-03-10 09:31:13 ERROR Zope.SiteErrorLog 1331368273.340.531887525979 http://localhost:39109/.../feed-item.html
Traceback (innermost last):
  Module ZPublisher.Publish, line 116, in publish
  Module ZPublisher.BaseRequest, line 607, in traverse
  Module ZPublisher.HTTPResponse, line 721, in unauthorized
Unauthorized: <strong>You are not authorized to access this resource.</strong><p>
Username and password are not correct.</p>

Changed 4 years ago by neaj

Mikko's fix

comment:3 Changed 4 years ago by kagesenshi

  • Cc kagesenshi added

comment:4 Changed 4 years ago by kleist

  • Status changed from new to confirmed
  • Keywords patch added
  • Component changed from Infrastructure to General

comment:5 Changed 4 years ago by kleist

  • Keywords patch, upstream added; patch removed

comment:6 Changed 4 years ago by kleist

  • Status changed from confirmed to closed
  • Resolution set to wontfix

comment:7 Changed 4 years ago by kleist

  • Status changed from closed to reopened
  • Component changed from General to Backend (Python)
  • Resolution wontfix deleted
  • Keywords PAS added; upstream removed

Citing Hanno on Launchpad: "The report is for PAS - not Zope2."

comment:8 Changed 4 years ago by kleist

  • Status changed from reopened to confirmed
Note: See TracTickets for help on using tickets.