|
|
|
Join Login |
|
|
|
Lab Wear Advanced Search |
|
|
|
Get Zope Achieve Zen Newbies CommunityRant The Book Building Websites Hosting EU Hosting |
|
|
|
Help! PyReference PyCookbook FAQTs Daily-URL! Contact |
Copyright © 2001,2002 zopeLABS and community
Testing Security in a Debugging SessionSubmitted by: slinkpLast Edited: 2003-02-28
Category: Security |
|
||
|
Description: You're debugging Zope at the python prompt and want to find out e.g. if a user has permission to do something. Kudos to Chris McDonough and Sean Upton for showing me how to do this on the zope mailing list! Quick summary: You need to register the user with the SecurityManager, like so: from AccessControl.SecurityManagement import newSecurityManager user = some_folder.acl_users.getUser('UserName').__of__(some_folder.acl_users) newSecurityManager(None, user) Now let's look at that in the context of a debugging session, and also see what happens if you DON'T do this. |
|||
|
Source (Text): Zope debugging session for /zope/InstanceHome
The root application object is bound to name 'app'.
To let other people see your changes, you must:
get_transaction().commit()
To see other people's changes, you must:
app._p_jar.sync()
>>> folder = app.paul_stuff.test_dynausers
>>> user = folder.acl_users.getUser('bob')
>>> user
bob
>>> user.getRoles()
('Manager', 'ldap_role', 'Authenticated')
>>> #### here's how to find out what roles are needed for a permission
...
>>> from AccessControl.PermissionRole import rolesForPermissionOn
>>> rolesForPermissionOn('View', folder.testview)
('Manager', 'ldap_role')
>>> ### It looks like bob should be able to View folder.testview, right?
... ### He has 2 of the required roles for View permission on folder.testview.
... ### Here's how you test for a permission:
...
>>> print user.has_permission('View', folder.testview)
None
>>> ### WHAT WENT WRONG?
... ### It turns out that has_permission actually ignores the user
... ### who called it, and uses AccessControl.getSecurityManager().getUser()
... ### instead! At any given time, the SecurityManager knows who the
... ### current user is and uses that for all tests.
... ### We haven't told the SecurityManager about poor bob, so
... ### instead we get the default user, which of course is...
...
>>> from AccessControl import getSecurityManager
>>> getSecurityManager().getUser()
Anonymous User
>>> ### That's right, in a debugging session the default is Anonymous.
... ### Which brings us to the point of this recipe...
... ##################################################################
... ### How to tell the SecurityManager to user a particular user ####
...
>>> from AccessControl.SecurityManagement import newSecurityManager
>>> user = folder.acl_users.getUser('bob').__of__(folder.acl_users)
>>> ### __of__ is needed to wrap the user in an acquisition context
... ### like Zope normally does.
...
>>> newSecurityManager(None, user)
>>> ### just to make sure, let's see who the current user is
...
>>> getSecurityManager().getUser()
bob
>>> ### FINALLY we can perform has_permission() tests!
...
>>> print user.has_permission('View', folder.testview)
1
|
|||
|
Explanation: Exploring zope in an interactive debugging session is HIGHLY recommended. Instructions on getting into a live session are in the "Developers' Guide:"http://www.zope.org/Documentation/Books/ZDG/current/TestingAndDebugging.stx But unfortunately you will quickly find that there's a lot of "magic" that Zope does, which you have to invoke manually in a debug session, or else some things just won't work right. For example: security. There's nothing in the dev guide about debugging security, and without the magic words shown in this recipe, some_user.has_permission() fails mysteriously. There may well be other security methods that work the same way, using getSecurityManager().getUser() instead of the user you might have expected. |
|||
|
Comments: No Comments |
|||