-----Original Message----- From: Bill Anderson [mailto:bill@libc.org] Sent: Monday, June 26, 2000 1:42 PM To: Jay, Dylan Cc: 'zope@zope.org' Subject: Re: [Zope] Zope 2.2b2 security conundrum
"Jay, Dylan" wrote:
I am playing with ZDP-Tools which are ZClassed based. When
I try to add a
new object I get security failure.
<H2>Zope Error</H2> <P>Zope has encountered an error while publishing this resource. </P> <P><STRONG>Unauthorized</STRONG></P>
You are not authorized to access <em>manage_editProperties</em>. <!-- Traceback (innermost last): File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 222, in publish_module File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\PROGRA~1\Zope22\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 168, in __call__ (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line 500, in __call__ (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_With.py, line 146, in render (Object: FAQQuestionClass.createInObjectManager(REQUEST['id'], REQUEST)) File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 164, in __call__ (Object: DocumentFolderClass_add_fragment_exec) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line 500, in __call__ (Object: DocumentFolderClass_add_fragment_exec) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 339, in eval (Object: propertysheets.Info.manage_editProperties(REQUEST)) (Info: REQUEST) File <string>, line 0, in ? File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 187, in validate (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\AccessControl\SecurityManager.py, line 139, in validate File D:\PROGRA~1\Zope22\lib\python\AccessControl\ZopeSecurityPolicy.py, line 208, in validate Unauthorized: (see above)
I figure this is due to the new security model. The user I am using doesn't have Manager privlidges but has permission to add this object. I get the add form however when I try to submit the above occurs. I think this might have something to do with the ownership of FAQQuestionClass_add. However I can't see who owns FAQQuestionClass_add. How is the new security model supposed to work with ZClasses and how do I get round this problem so I can give a user the ability to add a new object.
Check fo rthe permission "Manage Properties". This one threw me for a while. I posted this a week or two back, you should be able to find it in the archives. This works wehn I call the addForm directly, yet when I use a form local to the direntoy and s the "<dmtl-with ..." technique from the FAQ As I use in KnowledgeKit), it doesn't seem happy, requesting authentication through Basic Auth, as opposed to the Cookie Login form I use currently (Membership 0.6.0).
I am working on this, and will pst a fix as soon as I have one.
I solved this by giving the piece of code that changes the properties the Proxy Manager role.