Bugs in new Security Stuff :P (part 3)
Finally... I'm not convinced the new security stuff deals properly with attributes other than simple methods. here's the evidence, again from Squishdot (guess what I've been doing ;-) You remember the Posting class? Well, Posting's objects have a text attribute called 'subject' Unless you have __allow_access_to_unprotected_subobjects__=1, you get the following error after you hit cancel on the authentication dialog box that pops up: (well, I was getting an unauthorized error on subject, now I just get no response from the server, not even an password dialog box :( That's really bad...) Anyway, on to the next example... If you modify Squishfile by adding and: __ac_permissions__=( ('View', ['file_name', 'file_type', 'content_type', 'file_bytes', 'file_kbytes', 'date_created', 'date_modified','icon','index_html'], ('Anonymous', 'Manager')), ) and a: Globals.default__class_init__(Squishfile) at the end, things should work fine, of course they don't. Right now, I'm just getting no response from the server, what I was getting (which was better ;-) is an unauthorized error on 'icon'. icon is defined in Squishfile as follows: icon='misc_/Squishdot/squishfile_img' ...and is protected by the 'View' permission as you can see above. What is going on ?! Chris PS: When do you and do you not mix in RoleManager? What does it do and when is it needed? PPS: If anyone wants to test this for themselves, let me know and I'll check my code into the Squishdot public CVS (on a branch! ;-)
Well, what do you know? I leave it for a couple fo hours to set up a laptop, come back and try again. It's not hanging anymore, but I'm still getting the errors when I click cancel: Chris Withers wrote:
Posting's objects have a text attribute called 'subject'
Unless you have __allow_access_to_unprotected_subobjects__=1, you get the following error after you hit cancel on the authentication dialog box that pops up:
Traceback (innermost last): File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 222, in publish_module File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 187, in publish File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 171, in publish File E:\Zope\227194~1.0\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 167, in __call__ (Object: index_html) File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_String.py, line 502, in __call__ (Object: index_html) File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 163, in __call__ (Object: site_header) File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_String.py, line 502, in __call__ (Object: site_header) File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_In.py, line 691, in renderwob (Object: site_item_list) File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_Util.py, line 331, in eval (Object: subject_image(subject)) (Info: subject) File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 189, in validate (Object: index_html) File E:\Zope\227194~1.0\lib\python\AccessControl\SecurityManager.py, line 139, in validate File E:\Zope\227194~1.0\lib\python\AccessControl\ZopeSecurityPolicy.py, line 159, in validate Unauthorized: subject
icon is defined in Squishfile as follows:
icon='misc_/Squishdot/squishfile_img'
...and is protected by the 'View' permission, but you still get the following error:
Traceback (innermost last): File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 222, in publish_module File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 187, in publish File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 171, in publish File E:\Zope\227194~1.0\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File E:\Zope\2.2.0\lib\python\Products\Squishdot\Squishdot.py, line 1388, in index_html (Object: RoleManager) File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 167, in __call__ (Object: posting_html) File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_String.py, line 502, in __call__ (Object: posting_html) File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_In.py, line 691, in renderwob (Object: attachment) File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 189, in validate (Object: posting_html) File E:\Zope\227194~1.0\lib\python\AccessControl\SecurityManager.py, line 139, in validate File E:\Zope\227194~1.0\lib\python\AccessControl\ZopeSecurityPolicy.py, line 159, in validate Unauthorized: icon Any ideas? cheers, Chris
participants (1)
-
Chris Withers