NUXUserGroups Zope security
Hi, To get a list of users for a particular group (using NuxUserGroups) using the following python script group=context.acl_users.getGroupById(groupname) users=group.getUsers() return users I get an error: 'You are not allowed to access getUsers in this context' In order to get the list I created an external method with the following based on stuff from ZopeLABS: def get_list_of_users(self, groupName): acl_users = getattr(self, 'acl_users') groups = acl_users.getGroupById(groupName).__of__(acl_users) usernames = groups.getUsers() return usernames and it works. So to access any methods of objects from a python script or DTML I have to create an external method? Is this right. Would some kind soul explain why this is the case or if I'm doing it incorrectly or I missed something. I have read the security.declareProtected stuff on ZDG and noticed that getUsers has security.declareProtected(ManageUsers, 'getUsers'). The python script above has a proxy role of manager which has permission to 'Manage users'. Many thanks, Sion
Sion Morris wrote:
So to access any methods of objects from a python script or DTML I have to create an external method? Is this right.
Yes, unless those methods have been specifically designed to be used from Python Scripts.
Would some kind soul explain why this is the case or if I'm doing it incorrectly or I missed something.
It's for security reasons. If you have a look in standard.py of the PythonScripts product, you can see how to make security assertions about modules, classes and their methods.
I have read the security.declareProtected stuff on ZDG and noticed that getUsers has security.declareProtected(ManageUsers, 'getUsers'). The python script above has a proxy role of manager which has permission to 'Manage users'.
Hmmm... that is odd. Are you sure that's the getUsers you're executing? If it is, then maybe there's a bug lurking here? cheers, Chris
On Sunday, July 14, 2002, at 11:32 am, Chris Withers wrote:
Sion Morris wrote:
So to access any methods of objects from a python script or DTML I have to create an external method? Is this right.
Yes, unless those methods have been specifically designed to be used from Python Scripts.
Would some kind soul explain why this is the case or if I'm doing it incorrectly or I missed something.
It's for security reasons. If you have a look in standard.py of the PythonScripts product, you can see how to make security assertions about modules, classes and their methods.
I have read the security.declareProtected stuff on ZDG and noticed that getUsers has security.declareProtected(ManageUsers, 'getUsers'). The python script above has a proxy role of manager which has permission to 'Manage users'.
Hmmm... that is odd. Are you sure that's the getUsers you're executing? If it is, then maybe there's a bug lurking here?
It may be that I'm accessing the wrong method. This is what I've done to check (hope not to show my complete ineptness): In a python script: group=context.acl_users.getGroupById('OMT') #where 'OMT' is the name of the group. return group Executing the script return an error as expected, but with "Resource: Group instance at 8e8ae18" So a 'Group' object is returned. The class 'Group' from UserFolderWithGroups.py (NuxUserGroups) has a method security.declareProtected(ManageUsers, 'getUsers') def getUsers(self): """Group users""" return tuple(self.users) This is what I'm attempting to use here: group=context.acl_users.getGroupById('OMT') #where 'OMT' is the name of the group. users = group.getUsers() return users except an error is raised: "Error Value: You are not allowed to access getUsers in this context"!
cheers,
Chris
I can use an external method to access these methods but it feels like needless duplication. Many thanks, Sion
Sion Morris wrote:
This is what I'm attempting to use here:
group=context.acl_users.getGroupById('OMT') #where 'OMT' is the name of the group. users = group.getUsers() return users
except an error is raised: "Error Value: You are not allowed to access getUsers in this context"!
Does the person executing this script have the 'Manage Users' permission? If not, have you tried giving the script a proxy role which has this permission? cheers, Chris
On Monday, July 15, 2002, at 10:38 pm, Chris Withers wrote:
Sion Morris wrote:
This is what I'm attempting to use here:
group=context.acl_users.getGroupById('OMT') #where 'OMT' is the name of the group. users = group.getUsers() return users
except an error is raised: "Error Value: You are not allowed to access getUsers in this context"!
Does the person executing this script have the 'Manage Users' permission? If not, have you tried giving the script a proxy role which has this permission?
The script returns the same error when executed by a user with manager role and when the script has the manager proxy role. I'm stumped. Sion
In article <109986E0-983C-11D6-84BA-000393876536@bangor.ac.uk> you write:
On Monday, July 15, 2002, at 10:38 pm, Chris Withers wrote:
Sion Morris wrote:
This is what I'm attempting to use here:
group=context.acl_users.getGroupById('OMT') #where 'OMT' is the name of the group. users = group.getUsers() return users
except an error is raised: "Error Value: You are not allowed to access getUsers in this context"!
Does the person executing this script have the 'Manage Users' permission? If not, have you tried giving the script a proxy role which has this permission?
The script returns the same error when executed by a user with manager role and when the script has the manager proxy role.
I'm stumped.
Can you try to add a security.declareObjectProtected(ManageUsers) just after the security = ClassSecurityInfo() in the BasicGroup class ? (in UserFolderWithGroups.py) Tell me if it works for you. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com
On Sunday, July 21, 2002, at 05:23 pm, Florent Guillaume wrote:
In article <109986E0-983C-11D6-84BA-000393876536@bangor.ac.uk> you write:
On Monday, July 15, 2002, at 10:38 pm, Chris Withers wrote:
Sion Morris wrote:
This is what I'm attempting to use here:
group=context.acl_users.getGroupById('OMT') #where 'OMT' is the name of the group. users = group.getUsers() return users
except an error is raised: "Error Value: You are not allowed to access getUsers in this context"!
Does the person executing this script have the 'Manage Users' permission? If not, have you tried giving the script a proxy role which has this permission?
The script returns the same error when executed by a user with manager role and when the script has the manager proxy role.
I'm stumped.
Can you try to add a security.declareObjectProtected(ManageUsers) just after the security = ClassSecurityInfo() in the BasicGroup class ? (in UserFolderWithGroups.py)
Tell me if it works for you.
It doesn't make a different. I still get the same error. I've also tried adding the declareObjectProtected on the Group class and that didn't work either. Changing the security declaration for the getUsers method in class Group to security.declarePublic('getUsers') works as expected though. Sion
In article <E9E34A79-9D51-11D6-81FA-000393876536@bangor.ac.uk> you write:
The script returns the same error when executed by a user with manager role and when the script has the manager proxy role.
I'm stumped.
Can you try to add a security.declareObjectProtected(ManageUsers) just after the security = ClassSecurityInfo() in the BasicGroup class ? (in UserFolderWithGroups.py)
Tell me if it works for you.
It doesn't make a different. I still get the same error.
I've also tried adding the declareObjectProtected on the Group class and that didn't work either.
Changing the security declaration for the getUsers method in class Group to security.declarePublic('getUsers') works as expected though.
Can you check the owner in the Owner tab of the script, verify that the user still exists, and that he's a Manager. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com
participants (3)
-
Chris Withers -
Florent Guillaume -
Sion Morris