Tim Hicks wrote:
Further checks reveal that the user (who I am programatically logging in) does indeed have have suitable roles ('Manager') to do what I want.
How are you programatically logging in?
# 'self' is the plugin converter object folder = self.restrictedTraverse(path_to_folder) #Authenticate with the same acl_users as the original uploader acl_users = folder.acl_users user = acl_users.authenticate(qfile.user, qfile.passw, request={}) user = user.__of__(acl_users) newSecurityManager(None, user)
ps My plugins are stored in a dictionary on my ZOffice instance (so they don't appear in the ZMI). The method 'getConverterByName(self, name)' explicitly returns converter.__of__(self) to ensure the acquisition chain makes sense.
My bet is still on a missed security definition somewhere...
Debug log output reveals the following: 2002-08-20 00:10:41,871 DEBUG dir(self.aq_parent) => ['_objects', '_pluginConverters', 'asyncSuccess', 'cleanId', 'currentConverter', 'handleFiles', 'id', 'makeZPT', 'nullUpload', 'title', 'uploadBox', 'uploadBoxAsync', 'uploadDispatch', 'uploadDispatchAsync'] 2002-08-20 00:10:41,871 DEBUG self.aq_parent.__roles__ => ('Anonymous', 'Manager', 'sysUser', 'zlaveUser') 2002-08-20 00:10:41,901 DEBUG dir(user) => ['__', 'domains', 'name', 'roles'] 2002-08-20 00:10:41,901 DEBUG user.roles => ['Manager'] The getBody method works when called directly from dtml and has the following security... security.declareProtected('ZOffice Converter: Use', 'getBody') def getBody(self, html): ... 'Manager' does have the 'ZOffice Converter: Use' permission. tim