Security validation issue
I've written a Zope product that exposes a "MenuItem". I add a menuItem in a Zope folder, and I have no difficulty accessing and editing it via the ZMI. I've written an xml-rpc-like protocol for Zope, that basically validates the security "manually". This menuItem has an attribute called "def getVersion(self):" which returns an int. This is the Code that prevents me from accessing the method in python, via my protocol: if not AccessControl.getSecurityManager().validate(None, object, attributes[-1]): raise UnauthorisedAccessException('Unauthorised: ' + originalAddress) object = <bound method HWMenuItem.getVersion of <HWMenuItem instance at 01B7B290>> This is the method getVersion attributes[-1] = "getVersion" (string) UnauthorisedAccessException: Unauthorised: menus.administration.addUser.getVersion This code works for any other default Zope type, but not mine. Did I perhaps forgot a permission or something? I can access this fine via the ZMI, but when I validate it this way, python just starts cursing at me. Can somebody help? Thanks H
Herman Geldenhuys wrote:
I've written a Zope product that exposes a "MenuItem". I add a menuItem in a Zope folder, and I have no difficulty accessing and editing it via the ZMI. I've written an xml-rpc-like protocol for Zope, that basically validates the security "manually".
What do you mean by "manually"?
This code works for any other default Zope type, but not mine. Did I perhaps forgot a permission or something?
Did you do security declarations for that method?
I can access this fine via the ZMI, but when I validate it this way, python just starts cursing at me.
Why are you doing you own validation? ;-) cheers, Chris
Hi
Herman Geldenhuys wrote:
I've written a Zope product that exposes a "MenuItem". I add a menuItem in a Zope folder, and I have no difficulty accessing and editing it via the ZMI. I've written an xml-rpc-like protocol for Zope, that basically validates the security "manually".
What do you mean by "manually"?
By manually I mean that I have to do the validation myself. I have written a new protocol that plugs into the Zope application server. It's called OZE and I am about to release the source on sourceforge. Its an RPC-like protocol. But in a nutshell, I must do the security validation myself, because I bypass a few usual-Zope elements in the framework. I will gladly answer any other questions, but will this satisfy for now? H ----- Original Message ----- From: "Chris Withers" <chris@simplistix.co.uk> To: "Herman Geldenhuys" <hgeldenhuys@gims.com> Cc: <zope-dev@zope.org> Sent: Friday, January 30, 2004 10:48 AM Subject: Re: [Zope-dev] Security validation issue
Herman Geldenhuys wrote:
I've written a Zope product that exposes a "MenuItem". I add a menuItem in a Zope folder, and I have no difficulty accessing and editing it via the ZMI. I've written an xml-rpc-like protocol for Zope, that basically validates the security "manually".
What do you mean by "manually"?
This code works for any other default Zope type, but not mine. Did I perhaps forgot a permission or something?
Did you do security declarations for that method?
I can access this fine via the ZMI, but when I validate it this way, python just starts cursing at me.
Why are you doing you own validation? ;-)
cheers,
Chris
participants (2)
-
Chris Withers -
Herman Geldenhuys