Not authorised to assign proxy role
Hi, I'm testing my GuardedFile product on Zope 2.3.0. Here's the blurb on GuardedFile: A GuardedFile is a Zope File that is accessible by proxy only. When a GuardedFile is created, all acquired permissions are unset. A proxy role is created in its container with the sole permission "View". When the GuardedFile is deleted, its associated proxy role is also removed. In all other aspects GuardedFile behaves exactly like a File. Suppose I have the following folder structure: root |- test |- guarded Only "root" has acl_users. I, as a regular user in "root"'s acl_users, create a GuardedFile called "agf" in "guarded"; a proxy role "proxy_for_agf" is also created in "guarded" by the product. The content of "agf" is just some text. I then create a dtml method in "guarded" called "prox" thusly: <dtml-var agf> I next try to assign to "prox" the proxy role "proxy_for_agf". The idea is that "anonymous" can access "agf" only thru "prox". I get the following error: You are not authorized to change prox because you do not have proxy roles. Traceback (innermost last): File /usr/local/home/ngps/pkg/zope230-py2/lib/python/ZPublisher/Publish.py, line 222, in publish_module File /usr/local/home/ngps/pkg/zope230-py2/lib/python/ZPublisher/Publish.py, line 187, in publish File /usr/local/home/ngps/pkg/zope230-py2/lib/python/Zope/__init__.py, line 221, in zpublisher_exception_hook (Object: prox) File /usr/local/home/ngps/pkg/zope230-py2/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/home/ngps/pkg/zope230-py2/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: manage_proxy) File /usr/local/home/ngps/pkg/zope230-py2/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: manage_proxy) File /usr/local/home/ngps/pkg/zope230-py2/lib/python/OFS/DTMLMethod.py, line 351, in manage_proxy (Object: prox) File /usr/local/home/ngps/pkg/zope230-py2/lib/python/OFS/DTMLMethod.py, line 342, in _validateProxy (Object: prox) Forbidden: (see above) This used to work in Zope 2.1.x. I didn't test GuardedFile for 2.2.x. What has changed, and what can I do to achieve what I want? Background: GuardedFile supports ZSmime, a product to generate S/MIME-signed/encrypted messages; ZSmime provides a tag "dtml-smime". The private key required for S/MIME signature generation is stored as a GuardedFile and the dtml method that invokes dtml-smime is assigned the necessary proxy role to access the private key in said GuardedFile. See http://www.post1.com/home/ngps/zsmime for more info. TIA. Cheers. -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps
What has changed, and what can I do to achieve what I want?
Security was increased for Zope 2.2. This document on Zope Security for Developers may be helpful: http://dev.zope.org/Wikis/DevSite/Projects/DeclarativeSecurity/ZopeSecurityF orDevelopers If you want to assign a proxy role to a DTML Method, the user you are logged in as must have that role. In the case of generating new local roles dynamically like you are, obviously no user will have that role. You can assign proxy roles to a DTML Method from your Python Product by messing with the _proxy_roles attribute, a tuple which contains all the proxy roles that that DTML Method has. self._proxy_roles = ('unique_proxy_role',) Although I'm not certain if it's safe or wise to do that, but it does work :) Kevin Teague http://www.bud.ca
On Mon, Feb 19, 2001 at 03:43:18AM -0800, Kevin Teague wrote:
Security was increased for Zope 2.2. This document on Zope Security for Developers may be helpful: http://dev.zope.org/Wikis/DevSite/Projects/DeclarativeSecurity/ZopeSecurityF orDevelopers
Thanks for the pointer.
If you want to assign a proxy role to a DTML Method, the user you are logged in as must have that role. In the case of generating new local roles dynamically like you are, obviously no user will have that role. You can assign proxy roles to a DTML Method from your Python Product by messing with the _proxy_roles attribute, a tuple which contains all the proxy roles that that DTML Method has.
self._proxy_roles = ('unique_proxy_role',)
Neat trick! ;-) Cheers. -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps
participants (2)
-
Kevin Teague -
Ng Pheng Siong