zope-bounces+jpenny=ykksnap-america.com@zope.org wrote on 08/10/2006 02:02:28 PM:
Vangelis Mihalopoulos wrote at 2006-8-10 10:58 +0300:
I have a zope app in a folder and have an exUserFolder in there to authenticate the app's users. The app is working fine and i get authenticated by the exUserFolder and everything works. I tried to delete the single "admin" account (with Manager privileges) from the root standard user folder and the app breaks with:
Unauthorized: You are not allowed to access 'call_backend' in this context
where 'call_backend' is an External Method called by a Python Script. All objects in zope are owned by the "admin". Could this be causing the
problem?
Others already answered "yes".
I just would like to add that this is due to the "executable owner" feature, introduced in Zope 2.2 to make Trojan horse attacks much more difficult. You may still be able to find the corresponding documentation (maybe even in the Zope Book (2.7 edition on "Plope.org").
I would also add. It is usually a real good idea to put only admin users in the root folder anyway. This gives you additional protection from several problems: it makes database connection methods much harder to see, it protects you from bugs in add-on acl_user products, it keeps people from doing things like adding a siteroot to your root folder, and it keeps people out of the Control_Panel. The only thing that I can imagine that you would want non admins to have access to in the root folder is the error_log. In a large organization, I could see that you would want programmers who do not have admin rights to be able to see it. That might take some special handling, but I suspect that you could use a proxy role or even just set its access to Anonymous (although that may lead to unintended information leakage). jim penny
-- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )