Giving access to error_log.showEntry to non-Manager users
Dear all, I'm trying to give all authenticated users access to the error log of an error that they just encountered. I'm using the error_log_url available in the standard_error_message to direct the user to the appropriate error log. This works fine for users with Manager role, but I cannot make it work for other authenticated users. I modified the error_log access to include 'View', 'View management screens' and 'Log Site Errors', but it doesn't help, unless I give 'View management screens' to Authenticated in the Zope root, which opens up too much. The actual access error is on 'manage_page_header' - I append the error traceback. I've also tried to access the error_log through a DTML with proxy set to Manager, to no avail. Any tips? Thank you and best regards, Martin Gfeller, COMIT AG, mailto:martin.gfeller@comit.ch Error Traceback, Zope 2.10.1 on Windows. SERVER_SOFTWARE 'Zope/(unreleased version, python 2.4.4, win32) ZServer/1.1' Traceback (innermost last): Module ZPublisher.Publish, line 115, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 41, in call_object Module Shared.DC.Scripts.Bindings, line 313, in __call__ Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec Module Products.PageTemplates.PageTemplateFile, line 121, in _exec Module Products.PageTemplates.PageTemplate, line 89, in pt_render Module zope.pagetemplate.pagetemplate, line 117, in pt_render Module zope.tal.talinterpreter, line 271, in __call__ Module zope.tal.talinterpreter, line 346, in interpret Module zope.tal.talinterpreter, line 534, in do_optTag_tal Module zope.tal.talinterpreter, line 516, in no_tag Module zope.tal.talinterpreter, line 346, in interpret Module zope.tal.talinterpreter, line 745, in do_insertStructure_tal Module zope.tales.tales, line 696, in evaluate - URL: showEntry - Line 1, Column 0 - Expression: <PathExpr standard:'here/manage_page_header'> - Names: {'container': <SiteErrorLog at /Quantax/error_log>, 'context': <SiteErrorLog at /Quantax/error_log>, 'default': <object object at 0x00A3B528>, 'here': <SiteErrorLog at /Quantax/error_log>, 'loop': {}, 'nothing': None, 'options': {'args': ()}, 'repeat': <Products.PageTemplates.Expressions.SafeMapping object at 0x05079DA0>, 'request': <HTTPRequest, URL=http://127.0.0.1:8080/Quantax/error_log/showEntry>, 'root': <Application at >, 'template': <PageTemplateFile at /Quantax/error_log/showEntry>, 'user': <GRUFUser 'dealer'>} Module zope.tales.expressions, line 217, in __call__ Module Products.PageTemplates.Expressions, line 122, in _eval Module zope.tales.expressions, line 124, in _eval Module Products.PageTemplates.Expressions, line 71, in boboAwareZopeTraverse Module OFS.Traversable, line 301, in restrictedTraverse Module OFS.Traversable, line 274, in unrestrictedTraverse - __traceback_info__: ([], 'manage_page_header') Unauthorized: You are not allowed to access 'manage_page_header' in this context
--On 15. Januar 2007 11:26:27 +0100 martin.gfeller@comit.ch wrote:
The actual access error is on 'manage_page_header' - I append the error traceback.
Stuff that starts with 'manage_' always requires the Manager role. -aj
Andreas Jung wrote at 2007-1-15 11:35 +0100:
--On 15. Januar 2007 11:26:27 +0100 martin.gfeller@comit.ch wrote:
The actual access error is on 'manage_page_header' - I append the error traceback.
Stuff that starts with 'manage_' always requires the Manager role.
Where did you find this? In my view it is not and was never right... There is not special protection for objects the name of which starts with "manage_". A primary counter example are the hundreds of "constructors" registered with "initializeClass" which traditionally are named "manage_addXXXX[Form]" but are protected by "Add XXX permission" which are often not restricted to "Manager" only. -- Dieter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dieter Maurer wrote:
Andreas Jung wrote at 2007-1-15 11:35 +0100:
--On 15. Januar 2007 11:26:27 +0100 martin.gfeller@comit.ch wrote:
The actual access error is on 'manage_page_header' - I append the error traceback.
Stuff that starts with 'manage_' always requires the Manager role.
Where did you find this?
In my view it is not and was never right... There is not special protection for objects the name of which starts with "manage_".
A primary counter example are the hundreds of "constructors" registered with "initializeClass" which traditionally are named "manage_addXXXX[Form]" but are protected by "Add XXX permission" which are often not restricted to "Manager" only.
App.class_init.default__class_init__ requires 'Manager' role for methods whose name is 'manage' and those which start with 'manage_', but only if they were otherwise unprotected. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFrSW++gerLs4ltQ4RAk71AKCGs18XZK4pHTRhzWUw6Zbq+w1s/gCeJp8/ iK8wyPgpLfqcxwLyt+0Z/KU= =WQqR -----END PGP SIGNATURE-----
Stuff that starts with 'manage_' always requires the Manager role.
It seems that this is declared in App.Management.Navigation as: security.declareProtected(view_management_screens, 'manage_page_header') However, I found a way around: Using the call error_log/getLogEntryById instead of the error_log/showEntry that is returned by error_log_url, I get the same information outside of the management screens (it only needs 'Log Site Errors' permission. Best regards, Martin Gfeller
participants (4)
-
Andreas Jung -
Dieter Maurer -
martin.gfeller@comit.ch -
Tres Seaver