Opened 11 years ago
Last modified 10 years ago
#11293 closed defect
AuthzPolicy fails SILENTLY! — at Version 1
| Reported by: | Dirk Stöcker | Owned by: | |
|---|---|---|---|
| Priority: | highest | Milestone: | 1.0.2 |
| Component: | general | Version: | 1.0-stable |
| Severity: | normal | Keywords: | authzpolicy, permissions, exception |
| Cc: | Jun Omae | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
When python-configobj is not avaibalble, the AuthzPolicy fails without any notice (except a log entry). In the default config that means, that all pages are accessible and any restrictions are void. This is VERY dangerous.
Immediate Fix:
--- /usr/lib/python2.7/site-packages/tracopt/perm/authz_policy.py~ 2013-09-05 14:38:16.000000000 +0200
+++ /usr/lib/python2.7/site-packages/tracopt/perm/authz_policy.py 2013-09-05 14:38:37.346011447 +0200
@@ -139,8 +139,8 @@
def check_permission(self, action, username, resource, perm):
if ConfigObj is None:
- self.log.error('configobj package not found')
- return None
+ self.log.error('AuthzPolicy: configobj package not found')
+ return False # never silently fail!
if self.authz_file and not self.authz_mtime or \
os.path.getmtime(self.get_authz_file()) > self.authz_mtime:
Also the setup.py should show clearly, that AuthzPolicy requires python-configobj to make the problem obvious.
Note:
See TracTickets
for help on using tickets.
