I'm replying to my own email 'cos I think I know what the problem is. If you use the scheme below to try and duplicate the problem you won't, BUT if you turn off either one of the permissions for manager then you get the symptoms that I describe. OK, you'll say that manager should have those roles, and I'd agree, but as someone else siad "it's an unexpected inconsistency". ----- Original Message ----- From: "Phil Harris" <phil@harris-family.info> To: <zope@zope.org> Sent: Friday, April 05, 2002 11:42 PM Subject: [Zope] weird, zpt security problem?
all,
I have a problem and need someone to verify it for me, just so's I know I'm not going insane.
Here's what I did:
1. Create a folder in the root, call it folder1 2. Create a new role in folder1, call it member 3. Create a user folder within folder1, and create a user in there with member role 5. create a folder within folder1, call it folder2 4. change the security for folder2 to turn off aqcuisition for the 'Access contents information' and 'view' and explicitly turn them on for the new member role and manager 6. create a zope page template within folder2, call it index_html keeping the default content
now start another browser and try and view the /folder1/folder2/index_html as the user you created earlier
At this point I can't login with anything but a user with manager role, the member who should have enough access (and would have with a dtml method in place of the zpt), can't see this page at all.
The error I get back is that the user is:
Error Type: Unauthorized Error Value: You are not allowed to access title in this context
With a traceback like this:
Traceback (innermost last): File D:\zope25\lib\python\ZPublisher\Publish.py, line 150, in publish_module File D:\zope25\lib\python\ZPublisher\Publish.py, line 114, in publish File D:\zope25\lib\python\Zope\__init__.py, line 159, in zpublisher_exception_hook (Object: ftest2) File D:\zope25\lib\python\ZPublisher\Publish.py, line 98, in publish File D:\zope25\lib\python\ZPublisher\mapply.py, line 88, in mapply (Object: index_html) File D:\zope25\lib\python\ZPublisher\Publish.py, line 39, in call_object (Object: index_html) File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 252, in __call__ (Object: index_html) File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 283, in _bindAndExec (Object: index_html) File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line 177, in _eval File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line 134, in _eval (Info: template) File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line 327, in restrictedTraverse (Object: index_html) (Info: {'path': ['title'], 'TraversalRequestNameStack': []}) File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line 345, in validate2 (Object: index_html) File D:\zope25\lib\python\AccessControl\SecurityManager.py, line 83, in validate File D:\zope25\lib\python\AccessControl\ZopeSecurityPolicy.py, line 177, in validate Unauthorized: (see above)
Does anyone else see this, am I doing something wrong, is it a bug, or am I completely insane?
I'd appreciate any reports sent either to me direct or to the list.
tia
ps. reporting on my sanity will get you no brownie points whatsoever ;)
Phil
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )