/@@member-fields browser view unprotected?

yurj · November 18, 2024, 7:28am

https://classic.demo.plone.org/@@member-fields

As you can see, you can view this page unauthenticated. But there's a permission:

plone/plone.app.users/blob/47483e65bea6cef6ed9456c36f727745a66c696f/plone/app/users/browser/configure.zcml#L71-L77


      
          <browser:page
              name="member-fields"
              for="*"
              class=".schemaeditor.MemberSchemaContext"
              allowed_interface="OFS.interfaces.IItem"
              permission="plone.app.controlpanel.UsersAndGroups"
              />

and in https://classic.demo.plone.org/manage_access plone.app.controlpanel.UsersAndGroups (title: Plone Site Setup: Users and Groups) is correctly set only for Manager and Site Administrator.

The configure uses allowed_interface="OFS.interfaces.IItem" which looks strange to me (removing it change anything).

Another problem is that body class of this page contains viewpermission-view and thus is not considered by backend.xml diazo rules (when you use them).

Any idea how to debug this?

davisagli · November 19, 2024, 2:01am

The configure uses allowed_interface="OFS.interfaces.IItem" which looks strange to me (removing it change anything).

This might mean that only the attributes included in IItem are protected by the permission (and not __call__, which is usually what we want for views). This should probably be removed.

Fortunately it doesn't appear to be possible to actually save the member-fields from this view while logged out.

Another problem is that body class of this page contains viewpermission-view and thus is not considered by backend.xml diazo rules (when you use them).

This is probably a side effect of the first problem.

yurj · November 19, 2024, 9:16am

The problem, from my point of view, is that the permission:
permission="plone.app.controlpanel.UsersAndGroups"
does not protect the view as expected.

The view inherits from:

github.com

plone/plone.schemaeditor/blob/6f8fb096abf217bb73d5bed3ad819671f491c723/plone/schemaeditor/browser/schema/traversal.py#L10


      
          from OFS.SimpleItem import SimpleItem
          from plone.schemaeditor.browser.field.traversal import FieldContext
          from plone.schemaeditor.interfaces import ISchemaContext
          from zope.interface import implementer
          from zope.publisher.interfaces.browser import IBrowserPublisher
          from ZPublisher.BaseRequest import DefaultPublishTraverse
          
          
          @implementer(ISchemaContext, IBrowserPublisher)
          class SchemaContext(SimpleItem):
              """This is a transient item that allows us to traverse through (a wrapper
              of) a zope 3 schema to (a wrapper of) a zope 3 schema field.
              """
          
              schemaEditorView = None
              additionalSchemata = ()
              allowedFields = None  # all fields
              fieldsWhichCannotBeDeleted = ()
              enableFieldsets = True

which has a browserDefault method:

    def browserDefault(self, request):
        """If not traversing through the schema to a field,
        show the SchemaListingPage.
        """
        return self, ("@@edit",)

from https://www.zope.dev/zope_secrets/request.html:

" A browser publisher is described by the interface IBrowserPublisher, which is a sub-interface of IPublishTraverse and is implemented by the DefaultPublishTraverse class. Again, the IBrowserPublisher for the traversed-to object is found in one of three ways: the object may implement it itself; or it may be adaptable, with the request, to this interface; or the fallback DefaultPublishTraverse may be used. The browserDefault() method on the IBrowserPublisher is then called with the request as an argument."

then we have:

github.com

plone/plone.schemaeditor/blob/master/plone/schemaeditor/browser/schema/configure.zcml

<configure
    xmlns="http://namespaces.zope.org/zope"
    xmlns:browser="http://namespaces.zope.org/browser"
    xmlns:five="http://namespaces.zope.org/five"
    i18n_domain="plone"
    >

  <browser:page
      name="edit"
      for="plone.schemaeditor.interfaces.ISchemaContext"
      class=".listing.SchemaListingPage"
      permission="plone.schemaeditor.ManageSchemata"
      />

  <browser:page
      name="add-field"
      for="plone.schemaeditor.interfaces.ISchemaContext"
      class=".add_field.FieldAddFormPage"
      permission="plone.schemaeditor.ManageSchemata"
      />

This file has been truncated. show original

  <browser:page
      name="edit"
      for="plone.schemaeditor.interfaces.ISchemaContext"
      class=".listing.SchemaListingPage"
      permission="plone.schemaeditor.ManageSchemata"
      />

but plone.schemaeditor.ManageSchemata is a permission given only to Manager.

But this is beyond my knowledge...

davisagli · November 21, 2024, 7:43pm

@yurj Ah, thanks for reminding me about the additional traversal to the edit view of the schema context.

There is a more specific edit view registered for IMemberSchemaContext. This is where the permission needs to be fixed:

github.com

plone/plone.app.users/blob/master/plone/app/users/browser/configure.zcml#L79-L84


      
          <browser:page
              name="edit"
              for=".schemaeditor.IMemberSchemaContext"
              class=".schemaeditor.SchemaListingPage"
              permission="zope2.View"
              />