----- Original Message ----- From: "Chris Withers" <chris@simplistix.co.uk> To: "Kees de Brabander" <cj.de.brabander@hccnet.nl> Cc: <zope@zope.org> Sent: Thursday, December 15, 2005 4:24 PM Subject: Re: [Zope] user account defined outside context of object being accessed
Kees de Brabander wrote:
Unauthorized: Your user account is defined outside the context of the object being accessed. Access to 'f1_index' of (Folder at /f1), acquired through (Folder at /f1/f11/f111), denied. Your user account, user1, exists at /f1/f11/acl_users. Access requires one of the following roles: ['Authenticated', 'Manager', 'Owner', 'student'].
Looks like you were inadvertantly taking advantage of a security hole in Zope that got plugged. That said, your example was extremely complicated.
Well, that's life ;)
Can you come up with as simple an example as possible so that we can maybe help you out?
I can't make the example more simple than I did. I guess it boils down to the fact that a user defined in a user folder somewhere farther down along a path cannot acquire objects higher up that path when the acquisition of the view permission of that object or its container is disabled and the view permission granted again to specific roles. This was possible up to zope version 2.7.3, but not anymore from 2.7.8. Somewhere in between this was changed, but I could not find an explicit reference. I used this construction a lot of times, so I have to restructure several applications. I guess that's life as well. Thanks anyway, cb