Problems with assigning proxy roles to a python script
Hello, I've been working on my first major project with Zope and I need to allow members of the public to register with the site (which gets them an entry in acl_users, and a very restricted role). I know that I need to use a proxy role to make the script work - giving it manage users privileges. I created a role, adduser, which only had the 'manage users' privilege. When I tried to assign this role as a proxy role to the add-a-user script I got the following error: You are not authorized to change addUserScript because you do not have proxy roles. (Also, an error occurred while attempting to render the standard error message.) I scratched my head, and then added all of the permissions that Anonymous User has to the adduser role, and I got the same error. I then added the 'change proxy roles' permission, and still got the error. Out of frustration I assigned the script the Manager role as a proxy role and it worked fine, and anonymous users were able to make themselves a user account. I'd really rather not use the manager role as a proxy role for this script if I can avoid it - it seems a little dangerous. Can anyone shed light on what's happening? Thanks, Matt Patterson -- Matt Patterson | Typographer <matt@emdash.co.uk> | http://www.emdash.co.uk/ <matt@reprocessed.org> | http://reprocessed.org/
On Sat, 21 Jun 2003 18:00:11 +0100 GMT (..19:00 where i live(GMT+2) ) Matt Patterson asked the Zope mailinglist about the following:
Hello,
I've been working on my first major project with Zope and I need to allow members of the public to register with the site (which gets them an entry in acl_users, and a very restricted role).
I know that I need to use a proxy role to make the script work - giving it manage users privileges. I created a role, adduser, which only had the 'manage users' privilege. When I tried to assign this role as a proxy role to the add-a-user script I got the following error:
You are not authorized to change addUserScript because you do not have proxy roles. (Also, an error occurred while attempting to render the standard error message.)
That error message is not very well-worded. It really means that *you*, the user assigning the proxy-role cannot assign roles you don't have yourself. So, if you set your manager-user up with the "adduser" role, you can freely asssign adduser-proxies whereever you like. but there is no danger related to assigning the "manager" role to the script if no non-managers are allowed to edit it. You can read more about roles and proxies here : http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/Security.stx :) -- Geir Bækholt
On Saturday, June 21, 2003, at 07:12 PM, Geir Bækholt wrote:
On Sat, 21 Jun 2003 18:00:11 +0100 GMT (..19:00 where i live(GMT+2) ) Matt Patterson asked the Zope mailinglist about the following:
You are not authorized to change addUserScript because you do not have proxy roles. (Also, an error occurred while attempting to render the standard error message.)
That error message is not very well-worded. It really means that *you*, the user assigning the proxy-role cannot assign roles you don't have yourself.
Ah, I see - hence why I, with the Manager role, could assign Manager as a proxy to the script...
So, if you set your manager-user up with the "adduser" role, you can freely asssign adduser-proxies whereever you like.
Cool.
but there is no danger related to assigning the "manager" role to the script if no non-managers are allowed to edit it.
Not even if the manage_edit interface was called on the script when it had the Manager proxy role? i.e. does this mean that proxy roles only apply when the script is __call__ed, and not when any of its other Zope methods (like manage_edit or document_src) are called...
You can read more about roles and proxies here : http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/ Security.stx
I did read that, but the example made me think that I had to be a Manager to assign any proxy roles - the example was confusing on that point... Many thanks for the prompt response! Matt -- Matt Patterson | Typographer <matt@emdash.co.uk> | http://www.emdash.co.uk/ <matt@reprocessed.org> | http://reprocessed.org/
Hi Matt, Matt Patterson wrote:
You are not authorized to change addUserScript because you do not have proxy roles. (Also, an error occurred while attempting to render the standard error message.)
This is the key. Read it carefully. It says _you_ are not authorized, not: the script is not authorized. This means, you have to get this role first, so go to your user folder and assign the role to your account. Then you are able to give this role away to other objects. This might be confusing, but after all, it makes sense. Regards Tino Wildenhain
participants (3)
-
Geir Bækholt -
Matt Patterson -
Tino Wildenhain