I've written a Zope product that exposes a "MenuItem". I add a menuItem in a Zope folder, and I have no difficulty accessing and editing it via the ZMI. I've written an xml-rpc-like protocol for Zope, that basically validates the security "manually".
This menuItem has an attribute called "def getVersion(self):" which returns an int.
This is the Code that prevents me from accessing the method in python, via my protocol:
if not AccessControl.getSecurityManager().validate(None, object, attributes[-1]): raise UnauthorisedAccessException('Unauthorised: ' + originalAddress)
object = <bound method HWMenuItem.getVersion of <HWMenuItem instance at 01B7B290>> This is the method getVersion
attributes[-1] = "getVersion" (string)
UnauthorisedAccessException: Unauthorised: menus.administration.addUser.getVersion
This code works for any other default Zope type, but not mine. Did I perhaps forgot a permission or something?
I can access this fine via the ZMI, but when I validate it this way, python just starts cursing at me.
Can somebody help?
Thanks
H
Herman Geldenhuys wrote:
I've written a Zope product that exposes a "MenuItem". I add a menuItem in a Zope folder, and I have no difficulty accessing and editing it via the ZMI. I've written an xml-rpc-like protocol for Zope, that basically validates the security "manually".
What do you mean by "manually"?
This code works for any other default Zope type, but not mine. Did I perhaps forgot a permission or something?
Did you do security declarations for that method?
I can access this fine via the ZMI, but when I validate it this way, python just starts cursing at me.
Why are you doing you own validation? ;-)
cheers,
Chris
Hi
Herman Geldenhuys wrote:
I've written a Zope product that exposes a "MenuItem". I add a menuItem in a Zope folder, and I have no difficulty accessing and editing it via the ZMI. I've written an xml-rpc-like protocol for Zope, that basically validates the security "manually".
What do you mean by "manually"?
By manually I mean that I have to do the validation myself. I have written a new protocol that plugs into the Zope application server. It's called OZE and I am about to release the source on sourceforge. Its an RPC-like protocol. But in a nutshell, I must do the security validation myself, because I bypass a few usual-Zope elements in the framework.
I will gladly answer any other questions, but will this satisfy for now?
H
----- Original Message ----- From: "Chris Withers" chris@simplistix.co.uk To: "Herman Geldenhuys" hgeldenhuys@gims.com Cc: zope-dev@zope.org Sent: Friday, January 30, 2004 10:48 AM Subject: Re: [Zope-dev] Security validation issue
Herman Geldenhuys wrote:
I've written a Zope product that exposes a "MenuItem". I add a menuItem in a Zope folder, and I have no difficulty accessing and editing it via the ZMI. I've written an xml-rpc-like protocol for Zope, that basically validates the security "manually".
What do you mean by "manually"?
This code works for any other default Zope type, but not mine. Did I perhaps forgot a permission or something?
Did you do security declarations for that method?
I can access this fine via the ZMI, but when I validate it this way, python just starts cursing at me.
Why are you doing you own validation? ;-)
cheers,
Chris