Re: ZClasses and Permissions (Zope Collector 444)
Please stay on the mailing list! I do not want to become a private consultant! Brent Hendricks writes:
... The situation is this: My ZClass contains a script (called renameFiles) that calls manage_renameObjects. I'd like anyone who can View that script to be able to run it correctly. I first tried setting a proxy role of Manager on the script, but that didn't work. The reason is almost surely a bug in "manage_pasteObject". It does not honour "execution permissions" such as proxy roles.
Digging into the Zope code a bit, I discovered that manage_renameObjects falls under the "View management screens" permission, Almost surely, your problem is not caused by a missing permission on "manage_renameObjects" itself, but inside "manage_pasteObjects". Cancel the browser login dialog and look at the traceback. Where does the exception come from?
so I mapped that permission to "View" on the the ZClass "Define Permission" tab (ie. View Management The "Define Permission" tab in the ZClass itself is ineffective. It should be removed. I expect this is "Collector 444").
Screens in the left column, and View in the right). This, however, also failed to work. Next I tried doing the mapping on the "Security" tab of the script itself. No go. This may be able to map "View management screens" such that you can access "manage_renameObjects", but probably "manage_pasteObjects" still fails because the necessary permission (create permission) is checked on the target ObjectManager.
Please check what access is really denied to you (as described above).
What is the "correct" thing to do? Find out, what the real problem is.
Then, we can think about it again. Dieter
Dieter Maurer wrote:
Digging into the Zope code a bit, I discovered that manage_renameObjects falls under the "View management screens" permission, Almost surely, your problem is not caused by a missing permission on "manage_renameObjects" itself, but inside "manage_pasteObjects". Cancel the browser login dialog and look at the traceback. Where does the exception come from?
Here's the last few lines: (Info: ({'script': <PythonScript instance at 8d4add0>, 'context': <RisaWorkgroup instance at 8fb22a0>, 'container': <RisaWorkgroup instance at 8fb22a0>, 'traverse_subpath': []}, (), {}, None)) File Script (Python), line 17, in renameFiles File /usr/local/lib/zope/lib/python/OFS/CopySupport.py, line 286, in manage_renameObjects (Object: 192) File /usr/local/lib/zope/lib/python/OFS/CopySupport.py, line 301, in manage_renameObject (Object: 192) File /usr/local/lib/zope/lib/python/OFS/CopySupport.py, line 414, in _verifyObjectPaste (Object: 192) Unauthorized: Add Documents, Images, and Files It's not going through manage_pasteObjects, but the function that raises the error does appear to be _verifyObjectPaste (perhaps this is what you meant?)
This may be able to map "View management screens" such that you can access "manage_renameObjects", but probably "manage_pasteObjects" still fails because the necessary permission (create permission) is checked on the target ObjectManager.
Gotcha. Hence the "Unauthorized: Add Documents, Images, and Files." In this case, the ObjectManager in question is an instance of my ZClass, which subclasses ZObjectManager. It looks like _verifyObjectPaste is calling getSecurityManager().checkPermission( mt_permission, self ), and this is failing. Digging through the source code a bit, it doesn't look like checkPermission() check for proxy roles. In fact, looking at the current CVS HEAD, there's even a comment to this effect: "# XXX proxy roles and executable owner are not checked" :( --Brent ------------------------------------------------------------------------- "The programmer, like the poet, works only slightly removed from pure thought-stuff. He builds his castles in the air, from air, creating by exertion of the imagination. Few media of creation are so flexible, so easy to polish and rework, so readily capable of realizing grand conceptual structures." -- Frederick Brooks, Jr., The Mythical Man Month
Brent Hendricks writes:
... It looks like _verifyObjectPaste is calling
getSecurityManager().checkPermission( mt_permission, self ), and this is failing. Digging through the source code a bit, it doesn't look like checkPermission() check for proxy roles. In fact, looking at the current CVS HEAD, there's even a comment to this effect:
"# XXX proxy roles and executable owner are not checked" The well known bug....
Dieter
participants (2)
-
Brent Hendricks -
Dieter Maurer