This is just a SWAG (Strategic Wild-Ass Guess), but Ty and I have been having a problem with the search feature in Squishdot 0.7.0 that seems possibly to be related. Our trace of the problem shows that catalog searches from the SquishSite return objects which are wrapped with a *different* acquisition hiearchy than the SquishSite itself or from the User object it's trying to check roles on. Thus, *even though* the user has the right roles, user.allowed() disallows the roles as invalid because they're being granted from a (seemingly) different hiearchy. What we found is that ZCatalog uses the older REQUEST.resolve_url() method to access the "true" objects, which has this side effect. If it used the new 2.2 traverse methods, the acquisition hierarchy would be the same. As it stands, the objects returned by ZCatalog.getobject (by way of SquishSite.__call__) even have different REQUEST objects than the original REQUEST object for the web hit. Does this sound like it's anything related to the problems you're having? At 05:00 PM 9/1/00 +0100, Chris Withers wrote:
Brian Lloyd wrote:
Here's a quick thing to try- if 'subject' is an attribute of your Article class, try adding:
class Article(...): subject__roles__=None
then restart and see if you still get unauthorized...
yup, I do :-(
And besides, 'subject' is already in __ac_permissions__, as you can see:
(a lot of stuff snipped out though ;-)
__ac_permissions__ = ( ('View', ['subject','getThread'], ('Anonymous', 'Manager')), )
and I do appropriate Globals.default__class_init__'s...
Man, I really have no idea, and not even any clue where to look.
The big factor seems to be that 'subject' is a string. I had a similar problem with the SquishFile class with the 'icon' attribute.
When it was a string:
# protected by 'View' permission icon = 'misc_/Squishdot/squishfile_img'
..even though it was a class variable and protected in __ac_permissions__, I was getting very similar errors to the above...
I was lucky, in that case, because it was a class variable, I could turn it into a method:
# protected by 'View' permission def icon(self): return 'misc_/Squishdot/squishfile_img'
..and, lo and behold, no more security errors from there... :S
Unfortunately, the string attributes in the Article class are instance attributes, not class attributes, so I can't do the same thing :-(
Any ideas?
cheers,
Chris
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )