Opened 11 years ago
Last modified 10 years ago
#11293 closed defect
AuthzPolicy fails SILENTLY! — at Version 1
Reported by: | Dirk Stöcker | Owned by: | |
---|---|---|---|
Priority: | highest | Milestone: | 1.0.2 |
Component: | general | Version: | 1.0-stable |
Severity: | normal | Keywords: | authzpolicy, permissions, exception |
Cc: | Jun Omae | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description (last modified by )
When python-configobj is not avaibalble, the AuthzPolicy fails without any notice (except a log entry). In the default config that means, that all pages are accessible and any restrictions are void. This is VERY dangerous.
Immediate Fix:
--- /usr/lib/python2.7/site-packages/tracopt/perm/authz_policy.py~ 2013-09-05 14:38:16.000000000 +0200 +++ /usr/lib/python2.7/site-packages/tracopt/perm/authz_policy.py 2013-09-05 14:38:37.346011447 +0200 @@ -139,8 +139,8 @@ def check_permission(self, action, username, resource, perm): if ConfigObj is None: - self.log.error('configobj package not found') - return None + self.log.error('AuthzPolicy: configobj package not found') + return False # never silently fail! if self.authz_file and not self.authz_mtime or \ os.path.getmtime(self.get_authz_file()) > self.authz_mtime:
Also the setup.py should show clearly, that AuthzPolicy requires python-configobj to make the problem obvious.
Note:
See TracTickets
for help on using tickets.