Re: [Zope-dev] fixing security problems HOW?
Robin Becker writes:
How can I find out exactly what is causing my security permissioning to fail.
I have put extra stuff into ZPublisher\BaseRequest.py at line 463 so I know that I'm failing on
UnauthorizedYou are not authorized to access this resource. URL='http://192.168.0.4:7080/live/index_html' No Authorization header found.
I am an anonymous user. Even when I make /live have the same permissions as the manager I can't make it work. index_html is a dtml method of the class of which live is an instance.
How can I figure out what is blocking the anonymous access. The URL traversal in "ZPublisher.BaseRequest.traverse" led to a "roles" assignment with a non-"None" value. This triggers authentication checking. Annonymous did not have one of the necessary roles.
I would probably check, what "roles" are determined during traversal. Apparently, your "live" is a Z instance. It is quite easy to forget the ZClass permission mapping (or get it wrong). This may lead to strange permission problems. Dieter
In article <14884.15579.573102.28509@lindm.dm>, Dieter Maurer <dieter@handshake.de> writes
Robin Becker writes:
How can I find out exactly what is causing my security permissioning to fail.
I have put extra stuff into ZPublisher\BaseRequest.py at line 463 so I know that I'm failing on
UnauthorizedYou are not authorized to access this resource. URL='http://192.168.0.4:7080/live/index_html' No Authorization header found.
I am an anonymous user. Even when I make /live have the same permissions as the manager I can't make it work. index_html is a dtml method of the class of which live is an instance.
How can I figure out what is blocking the anonymous access. The URL traversal in "ZPublisher.BaseRequest.traverse" led to a "roles" assignment with a non-"None" value. This triggers authentication checking. Annonymous did not have one of the necessary roles.
I would probably check, what "roles" are determined during traversal.
Apparently, your "live" is a Z instance. It is quite easy to forget the ZClass permission mapping (or get it wrong). This may lead to strange permission problems. Which ZClass permission mapping? Anonymous seems to be able to 'view'.
The 'Manager' role can log in and do stuff, but even when I change the permissions of Anonymous to be completely the same as for Manager I don't get the same behaviour; ie anonymous is being asked to log in? The problem I suppose is that /live/index_html is really a permission of /live and I guess the permissions determining access etc are really in / the object which cannot be traversed to :) -- Robin Becker
In article <XRM0TXAiCFJ6EwLk@jessikat.fsnet.co.uk>, Robin Becker <robin@jessikat.fsnet.co.uk> writes ....
Apparently, your "live" is a Z instance. It is quite easy to forget the ZClass permission mapping (or get it wrong). This may lead to strange permission problems. Which ZClass permission mapping? Anonymous seems to be able to 'view'.
The 'Manager' role can log in and do stuff, but even when I change the permissions of Anonymous to be completely the same as for Manager I don't get the same behaviour; ie anonymous is being asked to log in?
The problem I suppose is that /live/index_html is really a permission of /live and I guess the permissions determining access etc are really in / the object which cannot be traversed to :) well I upgraded my CVS version and everything started working again. Mumble. If only I hadn't tried to get the new Python methods to work etc etc dribble dribble. -- Robin Becker
participants (2)
-
Dieter Maurer -
Robin Becker