Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2207 (closed defect: fixed)

Opened 10 years ago

Last modified 10 years ago

identity.SecureObject doesn't cascade down to subcontrollers

Reported by: fetchinson Owned by: faide
Priority: highest Milestone: 1.1
Component: TurboGears Version: 1.0.8
Severity: major Keywords: security


When a subcontroller is "mounted" on a controller and this latter controller is protected by identity.SecureObject?, the methods of the subcontroller will not be protected. The only work around seems to be to wrap each and every subcontroller with identity.SecureObject? although a better solution would be to have identity.SecureObject? to cascade down automatically to every subcontroller. The problem is especially severe with catwalk. Even if the main catwalk controller is protected, the methods exposed by subcontrollers of catwalk are not, leading to serious security leakage.


class A1( RootController? ):

A2 = identity.SecureObject?( A2, identity.in_group( 'test' ) )

class A2( Controller ):

@expose( )

def meth2( self ):

return dict( )

A3 = A3( )

class A3( Controller ):

@expose( )

def meth3( self ):

return dict( )

Access to /A1/A2/meth2 is limited, as expected, by the identity.SecureObject? construction. But access to /A1/A2/A3/meth3 is not limited.

Change History

comment:1 Changed 10 years ago by faide

  • Priority changed from normal to highest
  • Severity changed from normal to major


comment:3 Changed 10 years ago by fetchinson

Mark's comment was about adding identity.SecureResource? to the base classes of the controller in question. This also doesn't help, in particular it doesn't help with catwalk. Subcontrollers' methods are still accessible without restriction.

comment:4 Changed 10 years ago by Chris Arndt

I can't confirm your last observation. Using SecurerResource as an additional base class for a controller also protects its subcontrollers. Here's an example:

class ControllerB(controllers.Controller):

    def meth1(self):
        return "ControllerB.meth1"

class ControllerA(controllers.Controller, identity.SecureResource):
    require = identity.not_anonymous()
    b = ControllerB()

    def meth1(self):
        return "ControllerA.meth1"

class Root(controllers.RootController):
    """The root controller of the application."""

    a = ControllerA()
    # ...

Can you provide a test case (i.e. actual code) where SecureResource doesn't work as it should (is documented)?

comment:5 Changed 10 years ago by Chris Arndt

  • Status changed from new to closed
  • Resolution set to fixed

Turns out, this is solely a problem in CatWalk! The CatWalk sub-controller Browse does not use controllers.Conntroller as a base class and so SecureObject does not wrap access to it in another SecureObject instance. See identity.conditions.py, line 339.

This is fixed in r6643 for all 1.x branches.

Note: See TracTickets for help on using tickets.