Opened 11 years ago
Last modified 10 years ago
#11293 closed defect
AuthzPolicy fails SILENTLY! — at Initial Version
Reported by: | Dirk Stöcker | Owned by: | |
---|---|---|---|
Priority: | highest | Milestone: | 1.0.2 |
Component: | general | Version: | 1.0-stable |
Severity: | normal | Keywords: | authzpolicy, permissions, exception |
Cc: | Jun Omae | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
When python-configobj is not avaibalble, the AuthzPolicy fails without any notice. In the default config that means, that all pagaes are accessible and any restrictions are void. This is VERY dangerous.
Immediate Fix:
--- /usr/lib/python2.7/site-packages/tracopt/perm/authz_policy.py~ 2013-09-05 14:38:16.000000000 +0200 +++ /usr/lib/python2.7/site-packages/tracopt/perm/authz_policy.py 2013-09-05 14:38:37.346011447 +0200 @@ -139,8 +139,8 @@ def check_permission(self, action, username, resource, perm): if ConfigObj is None: - self.log.error('configobj package not found') - return None + self.log.error('AuthzPolicy: configobj package not found') + return False # never silently fail! if self.authz_file and not self.authz_mtime or \ os.path.getmtime(self.get_authz_file()) > self.authz_mtime:
Also the setup.py should show clearly, that AuthzPolicy requires python-configobj to make the problem obvious.
Note:
See TracTickets
for help on using tickets.