Blocking inheritance of local roles in @@sharing not properly working?

zopyx · June 30, 2016, 10:16am

Hi there,

we have a private Plone Folder (in Plone 4.3.X) 'tester1' where the account 'tester1' as the local roles Contributor, Reviewer, Editor, Reader:

>>> doc = app.restrictedTraverse('inst/eforen/security-test/tester1')
>>> doc._p_jar.sync()
>>> doc.__ac_local_roles__
{'aj2': ['Owner'], 'tester1': [u'Contributor', u'Reviewer', u'Editor', u'Reader']}

Inheritance for local roles is disabled:

>>> doc.__ac_local_roles_block__
True

The 'View' permission is mapped to these roles:

According the local roles and the permission mapping for 'View' the account 'tester1' should be able to view
the folder 'tester1'.

However Unauthorized is being raised:

Unauthorized: Your user account does not have the required permission. 
 Access to 'macros' of (FSPageTemplate at /inst/eforen/security-test/tester1/main_template) denied. 

Your user account, tester1, exists at /inst/acl_users. Access requires View_Permission, granted to the following roles: ['Contributor', 'Editor', 'GroupAdmin', 'Manager', 'Owner', 'Reader', 'Site Administrator']. 

Your roles in this context are ['Authenticated', u'Contributor', u'Editor', 'Member', u'Reader', u'Reviewer'].

So according to VerboseSecurity tells me that I don't have the View permission although the necessary roles and the local roles for 'tester1' overlap?

Am I missing something?

Andreas

gyst · June 30, 2016, 10:37am

It's interesting that some of the role names are unicode, others not. Should not make a difference though.

>>> u'Reader' == 'Reader'
True
>>> u'Reader' is 'Reader'
False
>>> 'Reader' is 'Reader'
True
>>> 'Reader' in [u'Reader',]
True
>>>

seanupton · June 30, 2016, 10:09pm

I think __ac_local_roles_block__ is not related to the problem, and suspect you want to try in order:

(1) pdb.set_trace() inside AccessControl.users.BasicUsers.allowed()

(2) setting doc.__ac_local_roles__ to all contain non-unicode string element values.

(3) pdb.set_trace() inside borg.localrole.workspace.WorkspaceLocalRoleManager.getRolesInContext()

Sean

espenmn · June 30, 2016, 10:55pm

could it be that the view requires permissions?

zopyx · July 1, 2016, 6:17am

completely unrelated.

zopyx · July 1, 2016, 6:20am

At least the unicode versions of the roles in ac_local_roles are not the problem.

-aj

zopyx · July 1, 2016, 6:23am

None of the allowed() methods of BasicUsers is called here.

-aj

rafaelbco · July 1, 2016, 12:15pm

I'm not familiar with this VerboseSecurity stuff (seems very useful btw), but this seems interesting: "Access requires View_Permission". Maybe "View_Permission" != "View" ?

zopyx · July 4, 2016, 8:11am

Nice try...and perhaps "Access content information" is part of the problem...but not really the core of the evil...I have to admit that it works with stock Plone 4.3 - this is a legacy portal running on Anthil CMS with Plone 4.X under the hood.

-aj

zopyx · July 7, 2016, 10:54am

Explanation of this mistery: the code contained several patches to borg.localrole that caused the different behavior of the @@sharing tab and the misleading information of VerboseSecurity. This was hard to track down (third-party legacy project). Sorry for the noise.

Andreas