Hi *, I am trying to have a folderish object that acquires from a user object (ldapuserfolder). It should have its own properties and contents, but fall back to the ones of the ldap user. I have created an object, extending Folder, and it behaves nicely in zopectl debug. When I try to access it through e.g. a python script I get an: Error Type: Unauthorized Error Value: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied. I am sure its my lack of understanding of acquisition. I am trying to bascially put ldap user object 'on top' of the aquisition line (with the ldapproxy at the bottom), but obviously failing in doing so. Any ideas? Cheers, Joerg --------8< excerpt from code --------------- class LDAPProxy(Folder): meta_type='LDAPProxy' def __init__(self, id, remoteid,title='',REQUEST=None): self.id = id self.title = title self.remoteid = remoteid def __of__(self, parent): if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.restrictedTraverse(folder) remote = acl.getUser(id) return Folder.__of__(self,parent.__of__(remote)) ------- teststructure---------- /testfolder/ ldapproxy (LDAPProxy) acl_users/ testscript (.py) --------8< testscript --------------------- return context.ldapproxy.dn --------traceback-------------------------- Traceback (most recent call last): File "/home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py", line 113, in publish request, bind=1) File "/home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/mapply.py", line 88, in mapply if debug is not None: return debug(object,args,context) File "/home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py", line 40, in call_object result=apply(object,args) # Type s<cr> to step into published object. File "/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py", line 311, in __call__ return self._bindAndExec(args, kw, None) File "/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py", line 348, in _bindAndExec return self._exec(bound_data, args, kw) File "/home/joerg/zope/Zope-2.8.5/lib/python/Products/PythonScripts/PythonScript.py", line 323, in _exec result = f(*args, **kw) File "Script (Python)", line 1, in testscript File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 727, in guarded_getattr aq_acquire(inst, name, aq_validate, validate) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 669, in aq_validate return validate(inst, object, name, v) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 563, in validate self._context) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 293, in validate accessed, container, name, value, context) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 808, in raiseVerbose raise Unauthorized(text) Unauthorized: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied.
On Monday 25 February 2008 20:45:37 Joerg Baach wrote:
Hi *,
I am trying to have a folderish object that acquires from a user object (ldapuserfolder). It should have its own properties and contents, but fall back to the ones of the ldap user.
I have created an object, extending Folder, and it behaves nicely in zopectl debug. When I try to access it through e.g. a python script I get an:
Error Type: Unauthorized Error Value: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied.
I am sure its my lack of understanding of acquisition. I am trying to bascially put ldap user object 'on top' of the aquisition line (with the ldapproxy at the bottom), but obviously failing in doing so. Any ideas?
I'm not familiar with LDAPUserFolder (its not really a user object but a user container, isn't it?) but the error you're getting is a security error -- the Python Script checks for security attributes before it accesses attributes. You need to add the appropriate security declarations in your product before it can be used inside PyScript You might try the verbose-security directive in zope.conf to debug stuff like that; I hope it is available in the version of Zope you're running (I'm on 2.10) As a hack to disable all security checks on a class you can add the attribute __allow_access_to_unprotected_subobjects__ = 1 , effectively disabling security. This of course should only be done if you trust your users! hth peter.
Cheers,
Joerg
--------8< excerpt from code ---------------
class LDAPProxy(Folder):
meta_type='LDAPProxy'
def __init__(self, id, remoteid,title='',REQUEST=None): self.id = id self.title = title self.remoteid = remoteid
def __of__(self, parent): if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.restrictedTraverse(folder) remote = acl.getUser(id) return Folder.__of__(self,parent.__of__(remote))
------- teststructure----------
/testfolder/ ldapproxy (LDAPProxy) acl_users/ testscript (.py)
--------8< testscript --------------------- return context.ldapproxy.dn
--------traceback-------------------------- Traceback (most recent call last): File "/home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py", line 113, in publish request, bind=1) File "/home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/mapply.py", line 88, in mapply if debug is not None: return debug(object,args,context) File "/home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py", line 40, in call_object result=apply(object,args) # Type s<cr> to step into published object. File "/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py", line 311, in __call__ return self._bindAndExec(args, kw, None) File "/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py", line 348, in _bindAndExec return self._exec(bound_data, args, kw) File "/home/joerg/zope/Zope-2.8.5/lib/python/Products/PythonScripts/PythonScript .py", line 323, in _exec result = f(*args, **kw) File "Script (Python)", line 1, in testscript File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 727, in guarded_getattr aq_acquire(inst, name, aq_validate, validate) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 669, in aq_validate return validate(inst, object, name, v) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 563, in validate self._context) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 293, in validate accessed, container, name, value, context) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 808, in raiseVerbose raise Unauthorized(text) Unauthorized: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied.
Hi Peter,
I'm not familiar with LDAPUserFolder (its not really a user object but a user container, isn't it?) but the error you're getting is a security error -- the Python Script checks for security attributes before it accesses attributes. You need to add the appropriate security declarations in your product before it can be used inside PyScript
Well, even with: __allow_access_to_unprotected_subobjects__ = 1 I get the same error. VerboseSecurity is also on. :-( Cheers, Joerg
On Monday 25 February 2008 21:31:46 Joerg Baach wrote:
Hi Peter,
I'm not familiar with LDAPUserFolder (its not really a user object but a user container, isn't it?) but the error you're getting is a security error -- the Python Script checks for security attributes before it accesses attributes. You need to add the appropriate security declarations in your product before it can be used inside PyScript
Well, even with: __allow_access_to_unprotected_subobjects__ = 1 I get the same error. VerboseSecurity is also on. :-(
I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that? "security-policy-implementation python" in zope.conf If yes, you should see lines like these in your event.log: 2008-02-25T22:30:18 DEBUG ImplPython Unauthorized: Your user account does not have the required permission. Access to 'manage' of (Application at ) denied. Your user account, Anonymous User, exists at /acl_users. Access requires one of the following roles: ['Manager']. Your roles in this context are ['Anonymous']. peter.
Cheers,
Joerg
I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that?
Yes, I did.
If yes, you should see lines like these in your event.log:
No, don't :-( But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-) Cheers, Joerg
On Monday 25 February 2008 22:45:24 Joerg Baach wrote:
I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that?
Yes, I did.
If yes, you should see lines like these in your event.log:
No, don't :-(
Strange...
But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-)
Yes, definitely. Its just with VerboseSecurity its easier to debug... Another option: put a debugger breakpoint (eg. "import pdb; pdb.set_trace()") at the place where the "Unauthorized" exception is raised and inspect the objects peter.
Cheers,
Joerg
ps.: http://www.zope.org/Documentation/Books/ZDG/current/Security.stx has old but AFAIK still good info On Monday 25 February 2008 22:45:24 Joerg Baach wrote:
I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that?
Yes, I did.
If yes, you should see lines like these in your event.log:
No, don't :-(
But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-)
Cheers,
Joerg
Hi *,
But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-)
Mmm, after even more searching, and not understanding I found http://www.mail-archive.com/zope-dev@zope.org/msg11438.html and changed my code to: def __of__(self, parent): '''foo''' if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.unrestrictedTraverse(folder) remote = acl.getUser(id) return Acquisition.ImplicitAcquisitionWrapper(aq_base(self), aq_base(remote).__of__(parent)) Now, this actually seems to work. If only I knew why.... Cheers, Joerg
On Monday 25 February 2008 23:52:26 Joerg Baach wrote:
Hi *,
But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-)
Mmm, after even more searching, and not understanding I found
http://www.mail-archive.com/zope-dev@zope.org/msg11438.html
and changed my code to:
def __of__(self, parent): '''foo''' if not hasattr(parent,'aq_base'): return self
folder,id = self.remoteid.split(':') acl = parent.unrestrictedTraverse(folder)
You're now doing no security checks on traversal, probably thats why you don't get any Unauthorized exceptions :-) - peter.
remote = acl.getUser(id)
return Acquisition.ImplicitAcquisitionWrapper(aq_base(self),
aq_base(remote).__of__(parent))
Now, this actually seems to work. If only I knew why....
Cheers,
Joerg
Hi Peter,
acl = parent.unrestrictedTraverse(folder)
when changing to acl = parent.restrictedTraverse(folder) I still don't get the Unauthorized exceptions. Anyhow, I will have to do a bit more wrapping, and then see if the solutions survive the security testing ;-) Cheers, Joerg
Hi again,
2008-02-25T22:30:18 DEBUG ImplPython Unauthorized: Your user account does not have the required permission. Access to 'manage' of (Application at ) denied. Your user account, Anonymous User, exists at /acl_users. Access requires one of the following roles: ['Manager']. Your roles in this context are ['Anonymous'].
Actually, if I change my code to something like: def __of__(self, parent): '''foo''' if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.restrictedTraverse(folder) remote = acl.getUser(id) self = Acquisition.ImplicitAcquisitionWrapper(self, remote) self = Acquisition.ImplicitAcquisitionWrapper(self, parent) return self (idea taken from http://www.mail-archive.com/zope-dev@zope.org/msg11713.html) I get a Error Type: Unauthorized Error Value: Your user account is defined outside the context of the object being accessed. Access to 'ldapproxy' of (Folder at /testfolder) denied. Your user account, admin, exists at /acl_users. Access requires one of the following roles: ['Manager']. Well, admin has 'Manager'. /me scratches his head Cheers, Joerg
Joerg Baach wrote at 2008-2-25 22:03 +0000:
... Error Type: Unauthorized Error Value: Your user account is defined outside the context of the object being accessed.
This is a different spelling for what I called in the last message "object not covered by the user folder identifying the current user". -- Dieter
This is maybe a naive suggestion but if Zope's TTW execution (e.g. Python Scripts) can't find a __roles__ on the object at hand doesn't that just mean that the class wasn't initialized with any security. class LDAPProxy(Folder): ... from Globals import InitializeClass InitializeClass(LDAPProxy) That should set the *__roles__ on all it's methods. Joerg Baach wrote:
Hi *,
I am trying to have a folderish object that acquires from a user object (ldapuserfolder). It should have its own properties and contents, but fall back to the ones of the ldap user.
I have created an object, extending Folder, and it behaves nicely in zopectl debug. When I try to access it through e.g. a python script I get an:
Error Type: Unauthorized Error Value: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied.
I am sure its my lack of understanding of acquisition. I am trying to bascially put ldap user object 'on top' of the aquisition line (with the ldapproxy at the bottom), but obviously failing in doing so. Any ideas?
Cheers,
Joerg
--------8< excerpt from code ---------------
class LDAPProxy(Folder):
meta_type='LDAPProxy'
def __init__(self, id, remoteid,title='',REQUEST=None): self.id = id self.title = title self.remoteid = remoteid
def __of__(self, parent): if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.restrictedTraverse(folder) remote = acl.getUser(id) return Folder.__of__(self,parent.__of__(remote))
------- teststructure----------
/testfolder/ ldapproxy (LDAPProxy) acl_users/ testscript (.py)
--------8< testscript --------------------- return context.ldapproxy.dn
--------traceback-------------------------- Traceback (most recent call last): File "/home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py", line 113, in publish request, bind=1) File "/home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/mapply.py", line 88, in mapply if debug is not None: return debug(object,args,context) File "/home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py", line 40, in call_object result=apply(object,args) # Type s<cr> to step into published object. File "/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py", line 311, in __call__ return self._bindAndExec(args, kw, None) File "/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py", line 348, in _bindAndExec return self._exec(bound_data, args, kw) File "/home/joerg/zope/Zope-2.8.5/lib/python/Products/PythonScripts/PythonScript.py", line 323, in _exec result = f(*args, **kw) File "Script (Python)", line 1, in testscript File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 727, in guarded_getattr aq_acquire(inst, name, aq_validate, validate) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 669, in aq_validate return validate(inst, object, name, v) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 563, in validate self._context) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 293, in validate accessed, container, name, value, context) File "/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py", line 808, in raiseVerbose raise Unauthorized(text) Unauthorized: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied.
------------------------------------------------------------------------
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Peter Bengtsson, work www.fry-it.com home www.peterbe.com hobby www.issuetrackerproduct.com
Joerg Baach wrote at 2008-2-25 19:45 +0000:
... I am trying to have a folderish object that acquires from a user object (ldapuserfolder). It should have its own properties and contents, but fall back to the ones of the ldap user.
I have created an object, extending Folder, and it behaves nicely in zopectl debug. When I try to access it through e.g. a python script I get an:
Error Type: Unauthorized Error Value: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied.
When you access attribute "x" (with value "xv") on object "o", Zope will first check whether "xv" has security declarations (more precisely, a "__roles__" attribute). If it has, they are used. Otherwise, Zope checks for "o.x__roles__". If found, they are used. Otherwise, "o.__roles__" may be examined (under some circumstances). Note that for most security declarations, "o" needs to be fully acquisition wrapped. Otherwise, there may be two problems: * Zope cannot find the information to map permissions to roles (as this mapping is defined on the acquisition path leading to the root) * "o" does is not "covered" by the user folder which has identified the current user. A user has only special roles on objects "covered" by its user folder. A object is "covered" by a user folder, when the object lies in the subtree rooted in the user folder's container. -- Dieter
participants (4)
-
Dieter Maurer -
Joerg Baach -
Peter Bengtsson -
Peter Sabaini