Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized exceptions due to creation of demo content without a security context #202

Open
pgrunewald opened this issue Sep 7, 2017 · 0 comments
Open

Unauthorized exceptions due to creation of demo content without a security context #202

pgrunewald opened this issue Sep 7, 2017 · 0 comments

Comments

@pgrunewald
Copy link

pgrunewald commented Sep 7, 2017
edited
Loading

Hello,

I would like to raise attention for the issue previously reported here that causes unauthorized exceptions and share my findings here in hope to get it fixed.

The problem occurs, when creating a new FormFolder and when something is being traversed just below the FactoryTool, like having URLs with "/portal_factory FormFolder/formfolder.2017-09-06.8581836574/some/more/path/segments".
Oddly enough, traversal works for certain browser views like the one for the AJAX field validation "@@at_validate_field", but fails terribly for longer ones say plone locking "@@plone_lock_operations/safe_unlock".

The only obvious difference between those two seems to be the length of path segments. It turns out, that Product.CMFPlone's FactoryTool gobbles some of the remaining URL path segments after the "/portal_factory".
This tool does that in before_publishing_traverse by looking for the pattern {type_name}/{id}/{method_name}, where as method_name is the type-specific method looked up in the TypesTool. If this pattern does not match, traversing is delegated to the objects below the portal_factory. This is what causes this problem.

By traversing below the object, the factory tool eventually will cause to call PloneFormGen's initializeArchetype, that tries to create objects, even when no security context is established.
This causes the Unauthorized exception reported in this issue and explains the phenonem a user reported an issue, that one has only the Anonymous role during this moment.

In summary we can say:

  • The behavior of Product.CMFPlone's FactoryTool is not consistent for browser views of different segment length.
  • Other portal types do not suffer this problem, unless they create demo content.
  • The problem might be worked around in Products.PloneFormGen, but I guess the more approriate place would be Product.CMFPlone(?)

I reported the problem here, since here more people have raised attention to the problem than in CMFPlone, but I am willing to report there as well if needed.

My setup is:

  • Plone 4.3.14
  • Products.PloneFormGen 1.7.21

This is the stacktrace for the broken @@plone_lock_operations/safe_unlock call:

/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(127)publish()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/BaseRequest.py(508)traverse()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/BaseRequest.py(352)traverseName()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/BaseRequest.py(135)publishTraverse()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/FactoryTool.py(208)__getitem__()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/FactoryTool.py(69)_createObjectByType()
/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(560)_constructInstance()
/eggs/Products.PloneFormGen-1.7.21-py2.7.egg/Products/PloneFormGen/content/form.py(866)initializeArchetype()
/eggs/Products.ATContentTypes-2.1.19-py2.7.egg/Products/ATContentTypes/lib/constraintypes.py(277)invokeFactory()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/PortalFolder.py(292)invokeFactory()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(841)constructContent()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(316)constructInstance()

And this is the stacktrace at the same location for a working @@at_validate_field call:

/eggs/Zope2-2.13.26-py2.7.egg/ZServer/PubCore/ZServerPublisher.py(31)__init__()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(455)publish_module()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(249)publish_module_standard()
/eggs/Products.PDBDebugMode-1.3.1-py2.7.egg/Products/PDBDebugMode/runcall.py(83)pdb_publish()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(138)publish()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/mapply.py(77)mapply()
/eggs/Products.PDBDebugMode-1.3.1-py2.7.egg/Products/PDBDebugMode/runcall.py(70)pdb_runcall()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(48)call_object()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/FactoryTool.py(460)__call__()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/FactoryTool.py(208)__getitem__()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(560)_constructInstance()
/eggs/Products.PloneFormGen-1.7.21-py2.7.egg/Products/PloneFormGen/content/form.py(866)initializeArchetype()
/eggs/Products.ATContentTypes-2.1.19-py2.7.egg/Products/ATContentTypes/lib/constraintypes.py(277)invokeFactory()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/PortalFolder.py(292)invokeFactory()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(841)constructContent()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(315)constructInstance()

regards, Paul
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pgrunewald