Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CatalogTool.searchResults ignores effective/expires/allowedRolesAndUsers restrictions in the base query #68

Open
d-maurer opened this issue Mar 15, 2019 · 1 comment
Open

CatalogTool.searchResults ignores effective/expires/allowedRolesAndUsers restrictions in the base query #68

d-maurer opened this issue Mar 15, 2019 · 1 comment
Labels
bug

Comments

@d-maurer
Copy link
Contributor

For unpriviledged users, CatalogTool.searchResults rewrites the base query to add additional restrictions. But it is not careful enough: the restricted query can be more permissive than the unrestricted one -- potentially resulting in too many hits. Potentially affected are base queries with expires, effective or allowedRolesAndUsers subqueries. For expires and effective subqueries the problem occurs only when they are not specified by keyword arguments (but in the REQUEST argument). The following example demontrates the problem:

>>> from Products.ZCatalog.Catalog import Catalog
>>> from Products.CMFCore.CatalogTool import CatalogTool
>>> from DateTime.DateTime import DateTime
>>> from pprint import pprint as pp
>>> 
>>> def trace(f):
...   """decorator to trace the effectively executed query."""
...   f = getattr(f, "__func__", f)
...   def traced(*args, **kw):
...     r = f(*args, **kw)
...     print("effective query:")
...     pp(r)
...     return r
...   return traced
... 
>>> # intrument `Catalog.merge_query_args` to see what happens
>>> Catalog.merge_query_args = trace(Catalog.merge_query_args)
>>> 
>>> c = CatalogTool()
>>> 
>>> def check(REQUEST=None, **kw):
...   try:
...     c(REQUEST, **kw)
...   except Exception: pass  # we are not really interested in the result
... 
>>> dt = DateTime(0)
>>> 
>>> # this works correctly
>>> check(effective=dict(query=dt, range="max"))
effective query:
{'allowedRolesAndUsers': ['Anonymous', 'Anonymous', 'user:None'],
 'effective': {'query': DateTime('1970/01/01 01:00:00 GMT+1'), 'range': 'max'},
 'expires': {'query': DateTime('2019/03/15 18:23:9.599377 GMT+1'),
             'range': 'min'}}
>>> 
>>> # this should be equivalent - but is not:
>>> #   the `effective` subquery is more permissive than it should be
>>> check(dict(effective=dict(query=dt, range="max")))
effective query:
{'allowedRolesAndUsers': ['Anonymous', 'Anonymous', 'user:None'],
 'effective': {'query': DateTime('2019/03/15 18:23:40.451992 GMT+1'),
               'range': 'max'},
 'expires': {'query': DateTime('2019/03/15 18:23:40.451992 GMT+1'),
             'range': 'min'}}
@d-maurer d-maurer added the bug label Mar 15, 2019
@icemac
Copy link
Member

icemac commented Apr 9, 2019

A PR is welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@icemac @d-maurer