Confused about permissions
I have a simple use case for Zope where a group of users need to be able to manage content stored in external files. I installed ExternalFile and it seems to be working as expected for the admin user. I've created a folder where all ExternalFile objects reside. I've defined a local role "Editor" for that folder, added a user and assigned that user to the Editor role. What I can't seem to do is get the permissions right such that a user in the Editor role can add new External Files. I've checked every box on the Security tab for the Editor role. Users in the Editor role can view and modify existing ExternalFile's but still cannot add new ones. I thought maybe the problem had to do with permissions on the ExternalFile product itself, but when reading the description on the Define Permissions tab I couldn't really figure out what it was trying to say: "The first column below lists the permissions for this object. The second specifies the permissions that should have this permission in this product or ZClass. For ZClass methods, only permissions that are defined for the ZClass are permitted. In general, any permissions that include operations that change (mutate) an object should be disabled." What exactly does this mean? More to the point: What permissions do I need to assign to my Editor role so users can add External Files?
In article <b311b-news-555B7E.01592813052008@news.gmane.org>, Brenda Bell <b311b-news@theotherbell.com> wrote:
What I can't seem to do is get the permissions right such that a user in the Editor role can add new External Files.
I've checked every box on the Security tab for the Editor role. Users in the Editor role can view and modify existing ExternalFile's but still cannot add new ones.
I enabled VerboseSecurity and I see this in my console window when I try to add an ExternalFile when logged in as a user who is assigned the Editor role: 2008-05-13 13:12:55 ERROR Zope.SiteErrorLog http://localhost:8090/foo/manage_addProduct/ExternalFile/manage_addObject ViaGui Traceback (innermost last): Module ZPublisher.Publish, line 110, in publish Module ZPublisher.BaseRequest, line 596, in traverse Module ZPublisher.HTTPResponse, line 713, in unauthorized Unauthorized: <strong>You are not authorized to access this resource.</strong><p> No Authorization header found.</p> A loop in BaseRequest seems to be falling through a loop that's dependent on ''__allow_groups__''. I've tried adding a group, assigning the Editor role to the group and making my user a member of the group. But I still get the same error. What am I missing?
I thought maybe the problem had to do with permissions on the ExternalFile product itself, but when reading the description on the Define Permissions tab I couldn't really figure out what it was trying to say:
"The first column below lists the permissions for this object. The second specifies the permissions that should have this permission in this product or ZClass. For ZClass methods, only permissions that are defined for the ZClass are permitted. In general, any permissions that include operations that change (mutate) an object should be disabled."
What exactly does this mean?
More to the point: What permissions do I need to assign to my Editor role so users can add External Files?
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brenda Bell wrote:
In article <b311b-news-555B7E.01592813052008@news.gmane.org>, Brenda Bell <b311b-news@theotherbell.com> wrote:
What I can't seem to do is get the permissions right such that a user in the Editor role can add new External Files.
I've checked every box on the Security tab for the Editor role. Users in the Editor role can view and modify existing ExternalFile's but still cannot add new ones.
I don't know that product. There is likely another permission, e.g. 'Add External Files', which protects the methods used to create new instances; that permission is likely distinct from the permissions required to modify or delete those instances.
I enabled VerboseSecurity and I see this in my console window when I try to add an ExternalFile when logged in as a user who is assigned the Editor role:
2008-05-13 13:12:55 ERROR Zope.SiteErrorLog http://localhost:8090/foo/manage_addProduct/ExternalFile/manage_addObject ViaGui Traceback (innermost last): Module ZPublisher.Publish, line 110, in publish Module ZPublisher.BaseRequest, line 596, in traverse Module ZPublisher.HTTPResponse, line 713, in unauthorized Unauthorized: <strong>You are not authorized to access this resource.</strong><p> No Authorization header found.</p>
That traceback should be from the first request, which then prompts you to log in (e.g., via basic auth). The next request should either succeed (if the login / password you supply matches), or show a different traceback (e.g., invalid credentials).
A loop in BaseRequest seems to be falling through a loop that's dependent on ''__allow_groups__''.
'__allow_groups__' is the name which the authentication machinery uses to find the user folder: it is an alias for 'acl_users', not visible in the ZMI.
I've tried adding a group, assigning the Editor role to the group and making my user a member of the group. But I still get the same error.
What am I missing?
Rewa. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIKxyD+gerLs4ltQ4RAr4BAJ9g3VW8CKoNUsTeyOeLv0q4mYJE4QCgu6Id PoQUteaxY9oNtgwqyNQfdHQ= =SBFz -----END PGP SIGNATURE-----
Brenda Bell wrote at 2008-5-13 13:27 +0000:
In article <b311b-news-555B7E.01592813052008@news.gmane.org>, Brenda Bell <b311b-news@theotherbell.com> wrote:
What I can't seem to do is get the permissions right such that a user in the Editor role can add new External Files.
I've checked every box on the Security tab for the Editor role. Users in the Editor role can view and modify existing ExternalFile's but still cannot add new ones.
I enabled VerboseSecurity and I see this in my console window when I try to add an ExternalFile when logged in as a user who is assigned the Editor role:
2008-05-13 13:12:55 ERROR Zope.SiteErrorLog http://localhost:8090/foo/manage_addProduct/ExternalFile/manage_addObject ViaGui Traceback (innermost last): Module ZPublisher.Publish, line 110, in publish Module ZPublisher.BaseRequest, line 596, in traverse Module ZPublisher.HTTPResponse, line 713, in unauthorized Unauthorized: <strong>You are not authorized to access this resource.</strong><p> No Authorization header found.</p>
The "manage_addObject" requires roles for which no user folder in context could identify an appropriate user. You could try to find out in an interactive interpreter (started with "bin/zopectl debug" under "*nix") which roles are required. app.unrestrictedTraverse('foo/manage_addProduct/ExternalFile').manage_addObject__roles__ -- Dieter
participants (4)
-
Brenda Bell -
Brenda Bell -
Dieter Maurer -
Tres Seaver