We have seen various Unauthorized issues related to security patch on expression traversal (expressions.py). One of them from oldish plone.app.discussions 2.4.20 on Plone 5.0:
Module Products.Five.browser.pagetemplatefile, line 125, in __call__
Module Products.Five.browser.pagetemplatefile, line 59, in __call__
Module zope.pagetemplate.pagetemplate, line 132, in pt_render
Module five.pt.engine, line 98, in __call__
Module z3c.pt.pagetemplate, line 163, in render
Module chameleon.zpt.template, line 261, in render
Module chameleon.template, line 191, in render
Module chameleon.template, line 171, in render
Module 2c6e66f202bf032e7210f72aecab5c7e, line 594, in render
Module five.pt.expressions, line 154, in __call__
Module Products.PloneHotfix20210518.expressions, line 46, in traverse
Module five.pt.expressions, line 123, in traverse
Module OFS.Traversable, line 317, in restrictedTraverse
Module OFS.Traversable, line 251, in unrestrictedTraverse
__traceback_info__: ([], 'author_name')
Unauthorized: You are not allowed to access 'author_name' in this context - Expression: "reply/author_name" - Filename: ... .4.20-py2.7.egg/plone/app/discussion/browser/comments.pt - Location: (line 55: col 49) - Source: alt reply/author_name" />
I'm am not sure if this is just our old weird setup or does the patch (expressions.py) really have a some effect for security checks. I'm investigating this and will update once I know more.
Verbose security is more telling
Unauthorized: Your user account is defined outside the context of the object being accessed. Access to 'author_name' of (plone.app.discussion.comment.Comment object at 0x7efe50f0e488) denied. Your user account, atsoukka, exists at /Plone/acl_users. Access requires View_Permission, granted to the following roles: ['Editor', 'Manager', 'Owner', 'Reader', 'Reviewer', 'Site Administrator']. - Expression: "reply/author_name" - Filename: ... .4.20-py2.7.egg/plone/app/discussion/browser/comments.pt - Location: (line 55: col 49) - Source: alt reply/author_name" />
Sure this could be due to bad old code breaking acquisition chain already before this patch. The curious thing is, why this works without the patch.
Somehow unrestrictedTraverse
gets changed into restrictedTraverse
when patch calls the original traverse at the end.
Update:
Patch patching five.pt's BoboAwareZopeTraverse inadvertently(?) changes TrustedBoboAwareZopeTraverse to use restrictedTraverse instead of unrestrictedTraverse. I assume that this is the same for merged five.pt features in Products.PageTemplate.