Hi. Config: Zope 2.1.4 linux/i386 I have a method which searches for objects of certain types with help of an Catalog. I use <dtml-in "Catalog(meta_type='desired_type')"> <dtml-with "resolve_url(getpath(data_record_id_), REQUEST)"> <dtml-val id> </dtml-with> </dtml-in> And this is what I get IF I AM NOT THE SUPER-USER: Traceback (innermost last): File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/ZPublisher/Publish.py, line 214, in publish_module File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/ZPublisher/Publish.py, line 179, in publish File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/ZPublisher/Publish.py, line 165, in publish File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: trigger_search) File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/ZPublisher/Publish.py, line 102, in call_object (Object: trigger_search) File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/OFS/DTMLMethod.py, line 145, in __call__ (Object: trigger_search) File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: trigger_search) File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/DocumentTemplate/DT_In.py, line 691, in renderwob (Object: Catalog(meta_type='material', autoren=au, beschreibung=be, schlagworte=sw, zuordnung=REQUEST['zuordnung'], title=ti)) File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/DocumentTemplate/DT_Util.py, line 335, in eval (Object: resolve_url(Catalog.getpath(data_record_id_), REQUEST).id) (Info: Catalog) File <string>, line 0, in ? File /amnt/home/assen/Zope-2.1.1-linux2-x86/lib/python/DocumentTemplate/DT_Util.py, line 138, in careful_getattr Unauthorized: (see above) I NEED THIS! So, please help! Thanks!! regards, ingo.
Ingo Assenmacher wrote:
I have a method which searches for objects of certain types with help of an Catalog. I use
<dtml-in "Catalog(meta_type='desired_type')"> <dtml-with "resolve_url(getpath(data_record_id_), REQUEST)"> <dtml-val id> </dtml-with> </dtml-in>
And this is what I get IF I AM NOT THE SUPER-USER: Traceback (innermost last): Unauthorized: (see above)
I NEED THIS! So, please help!
resolve_url uses the exact same publishing machinery as calling a URL through the web; it does _not_ bypass the security machinery. If you do not have enough privledge to access to an object, then you will get an Unauthorized, just like when you call it through the web. The user that you are running this query as does not have enough privledge to call one of your desired_type objects. The exact object that you are unauthorized to see is displayed in the Error Message, which you did not include. There is no bug here, this is how it is supposed to work. Make sure that the objects that are resolved by this query can be viewed by the user who runs the query. -Michel
Michel Pelletier wrote:
resolve_url uses the exact same publishing machinery as calling a URL through the web; it does _not_ bypass the security machinery. If you do not have enough privledge to access to an object, then you will get an Unauthorized, just like when you call it through the web.
Additionally, if the object does not have an index_html, it may acquire it - so you also have to make sure that the index_html it might acquire is viewable by the user you're running as. -- Itamar S.T. itamars@ibm.net
Hi. Thanks for your response. Am 12-Apr-00 schrieb Itamar Shtull-Trauring:
resolve_url uses the exact same publishing machinery as calling a URL through the web; it does _not_ bypass the security machinery. If you do not have enough privledge to access to an object, then you will get an Unauthorized, just like when you call it through the web.
Additionally, if the object does not have an index_html, it may acquire it - so you also have to make sure that the index_html it might acquire is viewable by the user you're running as.
I *did* test this with several users, including a top-level defined user with Manager role and priviledges. The result was absolutely the same. This was what raised my question. Since the Manager role is granted all permissions, I *am* somewhat confused. I thought: maybe I have made a mistake within my objects somewhere and tried to use "resolve_url()" on DTML-Documents and tried to access their 'id' attribute with: <dtml-in "Catalog(meta_type='DTML Document')"> <dtml-with "resolve_url(getpath(data_record_id_), REQUEST)"> <dmtl-var id> </dtml-with> </dtml-in> which also raised the "unauthorised" Exception. As I have stated above: this does not happen when I do use the Superuser-account. I created some workaround (ugly, ugly) just to handle this. I am not quite happy with this, because I do need the ZCatalog object traversal desperately. Any further hints are absolutely welcome. Regards, Ingo ------------------------------------------
On Tue, 11 Apr 2000 17:35:22 -0700, Michel Pelletier <michel@digicool.com> wrote:
Ingo Assenmacher wrote:
I have a method which searches for objects of certain types with help of an Catalog. I use
<dtml-in "Catalog(meta_type='desired_type')"> <dtml-with "resolve_url(getpath(data_record_id_), REQUEST)"> <dtml-val id> </dtml-with> </dtml-in>
And this is what I get IF I AM NOT THE SUPER-USER: Traceback (innermost last): Unauthorized: (see above)
I NEED THIS! So, please help!
resolve_url uses the exact same publishing machinery as calling a URL through the web; it does _not_ bypass the security machinery. If you do not have enough privledge to access to an object, then you will get an Unauthorized, just like when you call it through the web.
The user that you are running this query as does not have enough privledge to call one of your desired_type objects. The exact object that you are unauthorized to see is displayed in the Error Message, which you did not include. There is no bug here, this is how it is supposed to work. Make sure that the objects that are resolved by this query can be viewed by the user who runs the query.
-Michel
Not true! There is a bug in the Acquisition machinery (scary, but true) see the following for a description and patch. http://classic.zope.org:8080/Collector/1066/view Basically, zope thinks a user has authority over an object if his user folder is above the object in the acquistion tree. Its gets this wrong when resolve_url is involved, since that creates a parallel (rather than nested) acquisition tree Toby Dickenson tdickenson@geminidataloggers.com
participants (5)
-
Ingo Assenmacher -
Ingo Assenmacher -
Itamar Shtull-Trauring -
Michel Pelletier -
Toby Dickenson