Tim Hicks writes:
... Ok, I've been doing that. Line 200 in ZopeSecurityPolicy.py raises Unauthorised because:
accessedbase is containerbase
which equates to:
getattr(accessed, 'aq_base', container) is aq_base(container) This, e.g., happens, when "accessed" is not acquisition wrapped.
A standard problem is to include neither "Acquisition.Implicit" nor "Acquisition.Explicit" as base class. Instances, then, will not play well with Zope's security machinery.
Both my ZOffice object and the converter plugins that are sub-objects inherit from SimpleItem.SimpleItem. I've set up some debug logging and it reveals that each of the objects does indeed have an '__of__' method. Indeed, the '_doConversion' method on my converter object calls 'self.handleFiles()', which it successfully acquires from its parent (ZOffice) object. So, I don't think it's a problem of not having acquisition wrappers. Further checks reveal that the user (who I am programatically logging in) does indeed have have suitable roles ('Manager') to do what I want. As for why 'accessedbase is containerbase', I'm still no nearer finding out. With my converter plugin as self: self.absolute_url() => http://domain.com:8080/ZOffice/ self.aq_parent.absolute_url() => http://domain.com:8080/ZOffice # n.b. no trailing slash self.aq_parent.aq_parent.absolute_url() => http://domain.com:8080 # n.b. no trailing slash So, to recap: I'm calling self.handleFiles() from my converter. handleFiles is acquired from the ZOffice instance and is a zpy. handleFiles makes various successful calls to manage_add*, and methods/scripts visible from the ZMI, but it raises Unauthorised when I try to call a method of ZOffice defined in its class. Any ideas? tim ps My plugins are stored in a dictionary on my ZOffice instance (so they don't appear in the ZMI). The method 'getConverterByName(self, name)' explicitly returns converter.__of__(self) to ensure the acquisition chain makes sense.