Products.PloneFormGen icon indicating copy to clipboard operation
Products.PloneFormGen copied to clipboard

Published 20 hours ago verified publisher icon smcmahon

Unauthorized exceptions due to creation of demo content without a security context

Open pgrunewald opened this issue 7 years ago • 0 comments

Hello,

I would like to raise attention for the issue previously reported here that causes unauthorized exceptions and share my findings here in hope to get it fixed.

The problem occurs, when creating a new FormFolder and when something is being traversed just below the FactoryTool, like having URLs with "/portal_factory FormFolder/formfolder.2017-09-06.8581836574/some/more/path/segments". Oddly enough, traversal works for certain browser views like the one for the AJAX field validation "@@at_validate_field", but fails terribly for longer ones say plone locking "@@plone_lock_operations/safe_unlock".

The only obvious difference between those two seems to be the length of path segments. It turns out, that Product.CMFPlone's FactoryTool gobbles some of the remaining URL path segments after the "/portal_factory". This tool does that in before_publishing_traverse by looking for the pattern {type_name}/{id}/{method_name}, where as method_name is the type-specific method looked up in the TypesTool. If this pattern does not match, traversing is delegated to the objects below the portal_factory. This is what causes this problem.

By traversing below the object, the factory tool eventually will cause to call PloneFormGen's initializeArchetype, that tries to create objects, even when no security context is established. This causes the Unauthorized exception reported in this issue and explains the phenonem a user reported an issue, that one has only the Anonymous role during this moment.

In summary we can say:

  • The behavior of Product.CMFPlone's FactoryTool is not consistent for browser views of different segment length.
  • Other portal types do not suffer this problem, unless they create demo content.
  • The problem might be worked around in Products.PloneFormGen, but I guess the more approriate place would be Product.CMFPlone(?)

I reported the problem here, since here more people have raised attention to the problem than in CMFPlone, but I am willing to report there as well if needed.

My setup is:

  • Plone 4.3.14
  • Products.PloneFormGen 1.7.21

This is the stacktrace for the broken @@plone_lock_operations/safe_unlock call:

/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(127)publish()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/BaseRequest.py(508)traverse()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/BaseRequest.py(352)traverseName()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/BaseRequest.py(135)publishTraverse()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/FactoryTool.py(208)__getitem__()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/FactoryTool.py(69)_createObjectByType()
/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(560)_constructInstance()
/eggs/Products.PloneFormGen-1.7.21-py2.7.egg/Products/PloneFormGen/content/form.py(866)initializeArchetype()
/eggs/Products.ATContentTypes-2.1.19-py2.7.egg/Products/ATContentTypes/lib/constraintypes.py(277)invokeFactory()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/PortalFolder.py(292)invokeFactory()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(841)constructContent()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(316)constructInstance()

And this is the stacktrace at the same location for a working @@at_validate_field call:

/eggs/Zope2-2.13.26-py2.7.egg/ZServer/PubCore/ZServerPublisher.py(31)__init__()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(455)publish_module()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(249)publish_module_standard()
/eggs/Products.PDBDebugMode-1.3.1-py2.7.egg/Products/PDBDebugMode/runcall.py(83)pdb_publish()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(138)publish()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/mapply.py(77)mapply()
/eggs/Products.PDBDebugMode-1.3.1-py2.7.egg/Products/PDBDebugMode/runcall.py(70)pdb_runcall()
/eggs/Zope2-2.13.26-py2.7.egg/ZPublisher/Publish.py(48)call_object()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/FactoryTool.py(460)__call__()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/FactoryTool.py(208)__getitem__()
/eggs/Products.CMFPlone-4.3.14-py2.7.egg/Products/CMFPlone/
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(560)_constructInstance()
/eggs/Products.PloneFormGen-1.7.21-py2.7.egg/Products/PloneFormGen/content/form.py(866)initializeArchetype()
/eggs/Products.ATContentTypes-2.1.19-py2.7.egg/Products/ATContentTypes/lib/constraintypes.py(277)invokeFactory()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/PortalFolder.py(292)invokeFactory()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(841)constructContent()
/eggs/Products.CMFCore-2.2.9-py2.7.egg/Products/CMFCore/TypesTool.py(315)constructInstance()

regards, Paul

pgrunewald avatar Sep 07 '17 09:09 pgrunewald