Trying to understand the nuances of a VerboseSecurity report ..
Hi all (and Shane in particular :) I'm triggering this error: Unauthorized: The owner of the executing script is defined outside the context of the object being accessed. Access to 'basic' of (License_PropertySheetsClass instance at e204528) denied. Access requires Access_contents_information_Permission, granted to the following roles: ['Administrator', 'Manager', 'Owner', 'Supporter']. The executing script is (PythonScript instance at e208eb8), owned by jean. I can't understand why .. there is exactly one acl_users in this Zope instance, in the root, where user 'jean' is defined. The whole application normally works fine. Currently, the error is being triggered by a ZUnit unit test. All the other unit tests (adding, editing and deleting instances of various kinds) works fine. The code where the error is occuring is this: """ # Create a new License instance and grab its propertysheet license_id = context.ObjectCounters.newID('License') new_license = container.newItem(license_id) new_license_propertysheet = new_license.propertysheets.basic """ All I can think is that that object 'basic' lacks context for some reason (i.e. lacks an acquisition wrapper?). I can't think why it lacks context .. we use that idiom all over the app, and don't normally get any problems. I'm trying to see if reading VerboseSecurity's source will help, but all I've found so far is a suspect double negation: """ def userHasRolesButNotInContext(user, object, object_roles): '''Returns 1 if the user has any of the listed roles but is not defined in a context which is not an ancestor of object. ''' """ Surely either one of those 'not's should go? -- Jean Jordaan http://www.upfrontsystems.co.za
Jean Jordaan wrote:
All I can think is that that object 'basic' lacks context for some reason (i.e. lacks an acquisition wrapper?). I can't think why it lacks context .. we use that idiom all over the app, and don't normally get any problems.
That's all I can think of also. Try examining basic.aq_chain.
I'm trying to see if reading VerboseSecurity's source will help, but all I've found so far is a suspect double negation:
""" def userHasRolesButNotInContext(user, object, object_roles): '''Returns 1 if the user has any of the listed roles but is not defined in a context which is not an ancestor of object. ''' """
Surely either one of those 'not's should go?
Yes. I think the first one should go. Shane
Hi Shane, Toby .. Set Tardis for http://mail.zope.org/pipermail/zope-dev/2003-February/018837.html
All I can think is that that object 'basic' lacks context for some reason (i.e. lacks an acquisition wrapper?). I can't think why it lacks context .. we use that idiom all over the app, and don't normally get any problems.
That's all I can think of also. Try examining basic.aq_chain.
It looks like bad interaction with ZUnit: (Pdb) license.propertysheets.basic <ZInstanceSheet instance at 9a6f350> (Pdb) license.propertysheets.basic.aq_chain [<ZInstanceSheet instance at 9a6f350>, <License_PropertySheetsClass instance at 9a6f128>, <License instance at 9e19038>, <Specialist instance at 99ae6d8>, <Specialist instance at 996acd0>, <Folder instance at 9cad3b0>, *** AttributeError: testsRun 'testsRun' is an attribute that is set in ZUnit.TestMonitor I'm poking about in ZUnit now .. benightedly .. Here is the code context in which the above obtains:: # Create a new reminder and reference it from the License reminder = container.addInstance(no_redir=1) import pdb; pdb.set_trace() #DBG We are here. This fails: license.propertysheets.basic.manage_changeProperties( {reminder_id_property: reminder.id}) That is in a Script (Python). The 'license' instance was created in the calling Script (Python), and passed in as parameter. Calling sequence: addLicenses (called from a ZUnitExternal test suite) -> addLicense (creates license instance) -> doRemindersForLicense(license) (creates reminder instance; calls license.propertysheets.basic.manage_changeProperties) Perhaps interestingly, reminder and AUTHENTICATED_USER seem to be OK, and license and context do not: (Pdb) reminder.aq_chain [<Reminder instance at 9c39bb0>, <Specialist instance at 99682a0>, <Application instance at 9968a48>, <RequestContainer instance at 8fd9e68>] (Pdb) license.aq_chain [<License instance at 9e19038>, <Specialist instance at 99ae6d8>, <Specialist instance at 996acd0>, <Folder instance at 9cad3b0>, *** AttributeError: testsRun (Pdb) context.aq_chain [<Specialist instance at 99682a0>, <Specialist instance at 99ae6d8>, <Specialist instance at 996acd0>, <Folder instance at 9cad3b0>, *** AttributeError: testsRun (Pdb) context.REQUEST.AUTHENTICATED_USER.aq_chain [jean, <LoginManager instance at 996f588>, <Application instance at 9968a48>, <RequestContainer instance at 8fd9e68>] -- Jean Jordaan http://www.upfrontsystems.co.za
In case it's relevant, the Folder at the bottom of the aq_chain for license is a ZUnit temporary folder: (116)doRemindersForLicense() (Pdb) license.aq_chain [<License instance at 9cca368>, <Specialist instance at 9aef630>, <Specialist instance at 98313c8>, <Folder instance at 9cb9468>, *** AttributeError: testsRun (Pdb) license.aq_chain[3].__dict__ {'title': '', 'id': '00022_Products.CremeTests.LicenseTests.LicenseTests.testAddFekoDongleLicense', '__ac_local_roles__': {'jean': ['Owner']}} The two Specialists are just part of our app: <Zope root>/Licenses/LicenseDocs -- Jean Jordaan http://www.upfrontsystems.co.za
Jean Jordaan wrote:
Hi Shane, Toby ..
Set Tardis for http://mail.zope.org/pipermail/zope-dev/2003-February/018837.html
All I can think is that that object 'basic' lacks context for some reason (i.e. lacks an acquisition wrapper?). I can't think why it lacks context .. we use that idiom all over the app, and don't normally get any problems.
That's all I can think of also. Try examining basic.aq_chain.
It looks like bad interaction with ZUnit:
(Pdb) license.propertysheets.basic <ZInstanceSheet instance at 9a6f350> (Pdb) license.propertysheets.basic.aq_chain [<ZInstanceSheet instance at 9a6f350>, <License_PropertySheetsClass instance at 9a6f128>, <License instance at 9e19038>, <Specialist instance at 99ae6d8>, <Specialist instance at 996acd0>, <Folder instance at 9cad3b0>, *** AttributeError: testsRun
That AttributeError is awfully strange, but it does explain the lack of context. The chain needs to go all the way to the application and request container. Notice that the closing square bracket is not present, and something printed three asterisks. I don't know what code would do that... perhaps Python 1.5.2? Shane
Notice that the closing square bracket is not present, and something printed three asterisks.
Myeah, 'grep -r "\*\*\*" *' in the Zope 2.5.1 source and instance Products directories doesn't turn up any AttributeError line ..
I don't know what code would do that... perhaps Python 1.5.2?
It's running: python2.1 -V Python 2.1.3 jean@blommie creme.jean-ZopeTestCase-branch $ cat start #! /bin/sh PYTHON=/usr/bin/python2.1 ZOPE_BASE=/usr/local/zope/2-5-1 ZOPE_SECURITY_POLICY=PYTHON reldir=`dirname $0` INSTANCE_HOME=`cd $reldir; pwd` export INSTANCE_HOME ZOPE_SECURITY_POLICY exec $PYTHON $ZOPE_BASE/z2.py \ -D -X -w 17085 -W 17805 \ -u jean >> $INSTANCE_HOME/var/z2.log 2>&1 & -- Jean Jordaan http://www.upfrontsystems.co.za
On Thursday 20 February 2003 11:38 am, Jean Jordaan wrote:
All I can think is that that object 'basic' lacks context for some reason (i.e. lacks an acquisition wrapper?). I can't think why it lacks context .. we use that idiom all over the app, and don't normally get any problems.
You need to look inside newItem. I guess it is returning the newly created object in the form it was created; without acquisition wrapper. -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson
participants (3)
-
Jean Jordaan -
Shane Hathaway -
Toby Dickenson