David Kankiewicz wrote:
I'm probably getting loopy, but I can't figure out how to set things up such that an anonymous user could copy or clone or rename anything, period - it's feels like the logic is coded in such a way that it just isn't possible (for anonymous). Could anyone come up with a simple working example of this that does *not* require "View management screens" be turned on in both the source and target folders??? It *should* be simple.
What I gave you should work with only the "method" having "View management screens"..
Yup, it should, but it doesn't (even tried doing proxy Manager on the method). I think something is really honestly broken here. There's a blurb in the CopySupport module that refers to the fact that the various copy methods do their own security, and you can see it in _verifyObjectPaste(). In particular, the statement: (CopySupport.py) 362 if (not hasattr(user, 'has_role') or 363 not user.has_role(roles, self)): 364 raise 'Unauthorized', ( 365 """You are not authorized to perform this 366 operation.""" 367 ) (and the fact that I get stopped here all the time) suggests that it is currently impossible for a user that does not have some role or another to actually perform a copy. Proxy roles don't seem to get past this, and I don't know of a way to assign a role (temporary or otherwise) to an anonymous user. In short, I suspect that this logic is what's messing things up, and I'm not certain why it's there in the first place. Most other stuff lets some other lower-level Zope stuff deals with permissions automagically. It doesn't make obvious sense that permission logic should have to be re-coded here. At this point I've worked around the problem, but I'll probably re-visit it later. Thanks again for your time!!