zope 2.7: Unauthorized "in this context"
I recently upgraded my zope server to 2.7 and a product I wrote which makes heavy use of Z-Classes is now broken. This is a workflow site for a course, and there are Course, Section, Student, ProjectSubmission, etc as ZClasses. To view the page at all students undergo basic authentication. When students want to submit some homework (the have the "Add Project Submissions" Class Permission) they click on a link like the following for the ProjectSubmission add form http://myserver.com/Sections/S1/J%20Hunter/manage_addProduct/Course/ProjectS... Where "J Hunter" is the Student, "S1" is the Section and "A Proj" is the ProjectSubmission. This was working fine until the upgrade, the link took them to the ProjectSubmission_addForm and they could add their submission. After the upgrade, now they get another authentication dialog box and after reentering their username and password, they get the dialog box again, and then if they hit cancel they get (verbose info below) Traceback (innermost last): * Module ZPublisher.Publish, line 101, in publish * Module ZPublisher.mapply, line 88, in mapply * Module ZPublisher.Publish, line 39, in call_object * Module OFS.DTMLMethod, line 130, in __call__ <DTMLMethod instance at 4128fef0> URL: http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_ad... Physical Path:/srp/2005/Sections/B1/Amrita Arora/ProjectSubmission_addForm * Module DocumentTemplate.DT_String, line 474, in __call__ * Module DocumentTemplate.DT_With, line 76, in render Unauthorized: You are not allowed to access 'mentor' in this context "mentor" is a field in the StudentPropertySheet. Interestingly, the same result occurs even if I enter a manager or site-root username/password in the authentication dialog box. I googled for the error message and found http://mail.zope.org/pipermail/zope-dev/2004-January/021501.html Based on my read of this, I tried adding the "Manager" proxy role to ProjectSubmission_addForm but this did not help. Any ideas? The add form and the verbose traceback are included below. As I say, all was working fine until a server upgrade so I suspect there is a recent zope feature that I am not handling properly. Thanks, JDH Here is DTML Method ProjectSubmission_addForm <dtml-comment> -*- mode: dtml; dtml-top-element: "body" -*- </dtml-comment> <dtml-var standard_html_header> <dtml-with site_params_py mapping> <form action="ProjectSubmission_add_py" method="post" enctype="multipart/form-data"> <table <dtml-var form_table_params>> <dtml-var "form_table_header_dtml(_.None, _, caption='Enter project submission information', num_columns=2)"> <dtml-comment> <tr> <th <dtml-var form_table_th>>Email</th> <td><input size=50 name="email" value="<dtml-var email>"></td> </tr> </dtml-comment> <tr> <th <dtml-var form_table_th>>Mentor</th> <td><input size=50 name="mentor" value="<dtml-var mentor>"></td> </tr> <tr> <th <dtml-var form_table_th>>Mentor email</th> <td><input size=50 name="mentor_email" value="<dtml-var mentor_email>"></td> </tr> <tr> <th <dtml-var form_table_th>>File</th> <td><input size=60 type="file" name="file_data"></td> </tr> <tr> <th <dtml-var form_table_th>>Title:</th> <td><TEXTAREA WRAP="virtual" NAME="submission_title" ROWS=2 COLS=80 tabindex=1></TEXTAREA></td> </tr> <tr> <th <dtml-var form_table_th>>Synopsis:</th> <td><TEXTAREA WRAP="virtual" NAME="description" ROWS=10 COLS=80 tabindex=1></TEXTAREA></td> </tr> <tr> <th colspan=2 align=center> <input type="submit" value="Upload Submission"></th> </tr> <dtml-comment> Note:hidden must come last, right before the </form> tag </dtml-comment> <input type="hidden" value="<dtml-var project_id>" name="project_id"> <input type="hidden" value="<dtml-var student_id>" name="student_id"> <input type="hidden" value=<dtml-var "REQUEST.get('REMOTE_ADDR')"> name="remote_address" > </form> </table> <br><br> </dtml-with> <br><br> <dtml-var standard_html_footer> Time 2005/06/07 09:54:55 GMT-5 User Name (User Id) student (student) Request URL http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc... Exception Type Unauthorized Exception Value You are not allowed to access 'mentor' in this context Traceback (innermost last): * Module ZPublisher.Publish, line 101, in publish * Module ZPublisher.mapply, line 88, in mapply * Module ZPublisher.Publish, line 39, in call_object * Module OFS.DTMLMethod, line 130, in __call__ <DTMLMethod instance at 411fb740> URL: http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/ProjectSubmissio... Physical Path:/srp/jdh/Sections/S1/J Hunter/ProjectSubmission_addForm * Module DocumentTemplate.DT_String, line 474, in __call__ * Module DocumentTemplate.DT_With, line 76, in render Unauthorized: You are not allowed to access 'mentor' in this context Display traceback as text REQUEST form student_id 'J Hunter' project_id 'A Proj' cookies tree-s 'eJzTyCkw5NLIKTDiClZ3hANPW3WuAmOuRKCECUjWFEU2EiRrBpY1B8laoMimg2QtwbKGBiBpQ0MkeeMgV5C8oRFXIhiA5I2R5bNDwfImEANMwQaYIRQ4hbnngxWYQw3QAwBNLzCv' __cp 'x%DA%D3%60b%60%60%C8%04b%86hF%20%A1%C1%02%24%8AA%DCbf%10QTP%0C%121200-%E6%03%09d%96%A4%C6%17%24%16%25%E6%16%C7%17T%02%00%D9w%0A%F9' _ZopeId '88234626A13Ni1oME3c' lazy items SESSION <bound method SessionDataManager.getSessionData of <SessionDataManager instance at 411e6ad0>> other URL5 'http://bace.bsd.uchicago.edu/srp/jdh/Sections' URL4 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1' URL7 'http://bace.bsd.uchicago.edu/srp' URL6 'http://bace.bsd.uchicago.edu/srp/jdh' URL3 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter' URL2 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc...' URL8 'http://bace.bsd.uchicago.edu' AUTHENTICATED_USER student SERVER_URL 'http://bace.bsd.uchicago.edu' AUTHENTICATION_PATH 'srp/jdh' URL 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc...' BASE9 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc...' PUBLISHED <DTMLMethod instance at 411fb740> TraversalRequestNameStack [] BASE1 'http://bace.bsd.uchicago.edu' BASE2 'http://bace.bsd.uchicago.edu/srp' BASE3 'http://bace.bsd.uchicago.edu/srp/jdh' BASE4 'http://bace.bsd.uchicago.edu/srp/jdh/Sections' BASE5 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1' BASE6 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter' BASE7 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc...' BASE8 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc...' URL1 'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc...' URL0 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc... URL1 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc... URL2 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc... URL3 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter URL4 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1 URL5 http://bace.bsd.uchicago.edu/srp/jdh/Sections URL6 http://bace.bsd.uchicago.edu/srp/jdh URL7 http://bace.bsd.uchicago.edu/srp URL8 http://bace.bsd.uchicago.edu BASE0 http://bace.bsd.uchicago.edu BASE1 http://bace.bsd.uchicago.edu BASE2 http://bace.bsd.uchicago.edu/srp BASE3 http://bace.bsd.uchicago.edu/srp/jdh BASE4 http://bace.bsd.uchicago.edu/srp/jdh/Sections BASE5 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1 BASE6 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter BASE7 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc... BASE8 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc... BASE9 http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduc... environ HTTP_COOKIE 'tree-s="eJzTyCkw5NLIKTDiClZ3hANPW3WuAmOuRKCECUjWFEU2EiRrBpY1B8laoMimg2QtwbKGBiBpQ0MkeeMgV5C8oRFXIhiA5I2R5bNDwfImEANMwQaYIRQ4hbnngxWYQw3QAwBNLzCv"; _ZopeId="88234626A13Ni1oME3c"; __cp="x%DA%D3%60b%60%60%C8%04b%86hF%20%A1%C1%02%24%8AA%DCbf%10QTP%0C%121200-%E6%03%09d%96%A4%C6%17%24%16%25%E6%16%C7%17T%02%00%D9w%0A%F9"' SERVER_SOFTWARE 'Zope/(Zope 2.7.3-0, python 2.3.4, linux2) ZServer/1.1' SCRIPT_NAME '' REQUEST_METHOD 'GET' HTTP_KEEP_ALIVE '300' SERVER_PROTOCOL 'HTTP/1.1' QUERY_STRING 'project_id=A%20Proj&student_id=J%20Hunter' channel.creation_time 1118156005 CONNECTION_TYPE 'keep-alive' HTTP_ACCEPT_CHARSET 'ISO-8859-1,utf-8;q=0.7,*;q=0.7' HTTP_USER_AGENT 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4' HTTP_REFERER 'http://bace.bsd.uchicago.edu/srp/jdh' SERVER_NAME 'render.bsd.uchicago.edu' REMOTE_ADDR '128.135.90.133' PATH_TRANSLATED '/srp/jdh/Sections/S1/J Hunter/manage_addProduct/Course/ProjectSubmission_addForm' SERVER_PORT '80' HTTP_HOST 'bace.bsd.uchicago.edu' HTTP_ACCEPT 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5' GATEWAY_INTERFACE 'CGI/1.1' HTTP_ACCEPT_LANGUAGE 'en-us,en;q=0.5' HTTP_ACCEPT_ENCODING 'gzip,deflate' PATH_INFO
John Hunter wrote at 2005-6-7 09:52 -0500:
... Traceback (innermost last): ... URL: http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_ad... Physical Path:/srp/2005/Sections/B1/Amrita Arora/ProjectSubmission_addForm * Module DocumentTemplate.DT_String, line 474, in __call__ * Module DocumentTemplate.DT_With, line 76, in render
Unauthorized: You are not allowed to access 'mentor' in this context
The "VerboseSecurity" product may give you more detailed information. I usually analyse such problems in an interactive Python interpreter. Under *nix, you start it with "bin/zopectl debug" (for Windows, a "*.bat" file has been posted --> mailing list archive). You login in the interactive Python interpreter with UF = app.acl_users # or some other user folder u = UF.getUser('your_user') # what user you want) from AccessControl.SecurityManagement import newSecurityUser newSecurityUser(None, u.__of__UF) # "u" is now logged in You can check whether Zope thinks the current user can access attribute "a" with value "v" from container "c" with from AccessControl import getSecurityManager as gSM; sm = gSM() # the security manager sm.validate(c, c, a, v) It will return "1" for access allowed, or 0 or an "Unauthorized" exception (do not ask why) for access denied. For attributes without their own security declarations (such as properties), "validate" will consult "c.__roles__" (the roles allowed to access "c") and "c.__allow_access_to_unprotected_subobjects__". -- Dieter
"Dieter" == Dieter Maurer <dieter@handshake.de> writes:
Dieter> John Hunter wrote at 2005-6-7 09:52 -0500: >> ... Traceback (innermost last): ... URL: >> http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_ad... >> Physical Path:/srp/2005/Sections/B1/Amrita >> Arora/ProjectSubmission_addForm * Module >> DocumentTemplate.DT_String, line 474, in __call__ * Module >> DocumentTemplate.DT_With, line 76, in render >> >> Unauthorized: You are not allowed to access 'mentor' in this >> context Dieter> The "VerboseSecurity" product may give you more detailed Dieter> information. Hi Dieter, I installed VerboseSecurity and now get a more helpful error message in the log (to refresh your memory, this is a pure ZClass based product which stopped working on an upgrade to 2.7). Here is the updated message Exception Type Unauthorized Exception Value The container has no security assertions. Access to 'mentor' of (FactoryDispatcher instance at 40aeafb0) denied. I googled this error message and found this thread, http://www.gossamer-threads.com/lists/zope/users/176379. You responded to the OP
Unauthorized: The container has no security assertions. Access to 'title_or_id' of (FactoryDispatcher instance at e68510) denied. (Also, an error occurred while attempting to render the standard error message.)
This is very strange: It is true that a "FactoryDispatcher" ("App.FactoryDispatcher.FactoryDispatcher") does not have security assertions. But usually, it does not have a "title_or_id" either. Therefore, it should not be relevant with respect to "title_or_id" access that it lacks security assertions. Maybe, it is a bug introduced with the security tighening introduced in Zope 2.7.3 (there was some discussion about such a bug in the mailing list (zope-dev, I think)). You can try to add a "__role__ = None" and maybe a "__allow_access_to_unprotected_subobjects__ = 1" to the "FactoryDispatcher" class (--> "App/FactoryDispatcher.py") to see whether the problem disappears. These two attributes will provide security assertions for the factory. Your "header/manage_main" DTML Method seems a bit strange, too. Why does it use a "dtml-in" and in it a "dtml-with" and in it access to "title_or_id". This is somewhat unexpected in the add form of a ZClass. But there was no followup. Before I start hacking App/FactoryDispatcher.py, I wanted to check in here and see if there was a resolution to this problem, if this is a known bug with a fix, etc. Thanks! JDH
"John" == John Hunter <jdhunter@ace.bsd.uchicago.edu> writes:
John> I installed VerboseSecurity and now get a more helpful error John> message in the log (to refresh your memory, this is a pure John> ZClass based product which stopped working on an upgrade to John> 2.7). Here is the updated message John> Exception Type Unauthorized John> Exception Value The container has no security John> assertions. Access to 'mentor' of (FactoryDispatcher John> instance at 40aeafb0) denied. OK, for the records, the following patch suggested by Dieter did in fact fix this problem. Thanks Dieter! render:/usr/share/zope2.7/lib/python/App> diff -c FactoryDispatcher.py FactoryDispatcher.py.bak *** FactoryDispatcher.py 2005-06-15 10:01:07.000000000 -0500 --- FactoryDispatcher.py.bak 2005-06-15 09:59:47.000000000 -0500 *************** *** 42,49 **** """ _owner=UnownableOwner ! __allow_access_to_unprotected_subobjects__=1 ! __role__ = None def __init__(self, product, dest, REQUEST=None): if hasattr(product,'aq_base'): product=product.aq_base self._product=product --- 42,48 ---- """ _owner=UnownableOwner ! def __init__(self, product, dest, REQUEST=None): if hasattr(product,'aq_base'): product=product.aq_base self._product=product
John Hunter wrote at 2005-6-15 09:48 -0500:
... I installed VerboseSecurity and now get a more helpful error message in the log (to refresh your memory, this is a pure ZClass based product which stopped working on an upgrade to 2.7). Here is the updated message
Exception Type Unauthorized
Exception Value The container has no security assertions. Access to 'mentor' of (FactoryDispatcher instance at 40aeafb0) denied.
I googled this error message and found this thread, http://www.gossamer-threads.com/lists/zope/users/176379. You responded to the OP ... It is true that a "FactoryDispatcher" ("App.FactoryDispatcher.FactoryDispatcher") does not have security assertions.... ... You can try to add a "__role__ = None" and maybe a "__allow_access_to_unprotected_subobjects__ = 1" to the "FactoryDispatcher" class (--> "App/FactoryDispatcher.py") to see whether the problem disappears. These two attributes will provide security assertions for the factory.
Note that this is only a hack! All objects in the "FactoryDispatcher" should provide their own security declarations. Then, they would not depend on that of the container. Thus, the primary problem is that "mentor" magically does not have a "__roles__" attribute or (maybe) that it was never expected to be accessed via the "FactoryDispatcher". -- Dieter
"Dieter" == Dieter Maurer <dieter@handshake.de> writes:
Dieter> Note that this is only a hack! Dieter> All objects in the "FactoryDispatcher" should provide Dieter> their own security declarations. Then, they would not Dieter> depend on that of the container. Dieter> Thus, the primary problem is that "mentor" magically Dieter> does not have a "__roles__" attribute or (maybe) that it Dieter> was never expected to be accessed via the Dieter> "FactoryDispatcher". My classes are all defined through the old ZClass mechanism and I don't see any way to fix the problem on my end. I've added these security assertions and roles when writing pure python products, but do not know how to do it with ZClasses (is it possible?) Is this a bug in my ZClasses or a zope bug? Thanks! JDH Dieter> -- Dieter
John Hunter wrote at 2005-6-15 14:42 -0500:
... Dieter> Thus, the primary problem is that "mentor" magically Dieter> does not have a "__roles__" attribute or (maybe) that it Dieter> was never expected to be accessed via the Dieter> "FactoryDispatcher".
My classes are all defined through the old ZClass mechanism and I don't see any way to fix the problem on my end. I've added these security assertions and roles when writing pure python products, but do not know how to do it with ZClasses (is it possible?)
Is this a bug in my ZClasses or a zope bug?
I did not yet analyse how ZClass security works. My ZClasses work but I still use Zope 2.7.2 and several security tighening measures in 2.7.3 introduced a lot of problems. Maybe, also for ZClasses... In your product, you have an "mentor_add_permission" and in the "Define permissions tab" of your mentor ZClass, you map "Create class instances" to this (or another existing) permission? -- Dieter
participants (2)
-
Dieter Maurer -
John Hunter