Re: [Zope] problem testing for a permission
Hi Jerome, I am not sure whether it was you with whom I discussed a similar problem? Some days ago, I saw a similar post: &dtml.url-login; raised an "Unauthorized" exception, when the user did not have "View" permission. I could reproduce a problem when the user had not "Access Contents Information", but the "View" permission was not necessary. Same for your problem (I am using ZopeCVS, about 10 days old): "has_permission" requires "Access Contents Information" for its object attribute (a bug in my view), but no 'View' permission. Jerome Alet writes:
.... <dtml-if "AUTHENTICATED_USER.has_permission('View', mymethod)"> ... but if I access the pages as an anonymous user then I've got an Unauthorized exception instead of not having the "Members only" link. Either some strange effect with your Zope version or:
* your "standard_html_xxx" is a DTML Document (! not method) * your user is defined in a subfolder "acl_user", i.e. above "mymethod" then the additional check, that a user can not reach material outside the context of its user folder may hit you. It is only a very vague idea.... Dieter
Hi, On Fri, Apr 20, 2001 at 09:05:50PM +0200, Dieter Maurer wrote:
I am not sure whether it was you with whom I discussed a similar problem?
No, I don't think so.
I could reproduce a problem when the user had not "Access Contents Information", but the "View" permission was not necessary.
Same for your problem (I am using ZopeCVS, about 10 days old):
"has_permission" requires "Access Contents Information" for its object attribute (a bug in my view), but no 'View' permission.
I've tried to give this permission on "mymethod" to anonymous users but without luck.
Jerome Alet writes:
.... <dtml-if "AUTHENTICATED_USER.has_permission('View', mymethod)"> ... but if I access the pages as an anonymous user then I've got an Unauthorized exception instead of not having the "Members only" link. Either some strange effect with your Zope version or:
maybe. I'll try to update ASAP.
* your "standard_html_xxx" is a DTML Document (! not method)
no it's a DTML method.
* your user is defined in a subfolder "acl_user", i.e. above "mymethod"
not the case.
then the additional check, that a user can not reach material outside the context of its user folder may hit you.
As a working solution I've given a proxy role of Manager to my standard_html_footer method: it works fine but I don't really understand what security problems may arise... bye, and thanks to all for the help. Jerome Alet
participants (2)
-
Dieter Maurer -
Jerome Alet