I have problem with Zope security model and I would like to know the best way to debug Zope when access is denied. I have two experimental sites: on one of them, anonymous users can go everywhere. On the other, the permissions *look* exactly the same but anonymous users can only see the home page and are denied access to subfolders (more precisely, Zope asks a password). I assume one DTML method, in the second site, is doing something forbidden (anonymous has "View" and "Access content information"). Is there a way to get an extended log, such as "anonymous user denied because index_html called standard_html_header which called getData and getData is a database connection and they don't have permission to use database connections"?
Stephane Bortzmeyer wrote:
Is there a way to get an extended log, such as "anonymous user denied because index_html called standard_html_header which called getData and getData is a database connection and they don't have permission to use database connections"?
If you hit cancel when the dialog box pops up, you'll get an error message. If you view the HTML source of that error message, there'll be a python traceback in there which should provide the information you're looking for... cheers, Chris
On Thu, 14 Dec 2000, Chris Withers wrote:
Stephane Bortzmeyer wrote:
Is there a way to get an extended log, such as "anonymous user denied because index_html called standard_html_header which called getData and getData is a database connection and they don't have permission to use database connections"?
If you hit cancel when the dialog box pops up, you'll get an error message. If you view the HTML source of that error message, there'll be a python traceback in there which should provide the information you're looking for...
May I add: "... in an incredibly unreadable and hardly understandable format." ? What Stephane asks for would be very nice, IMHO. bye, Jerome Alet
On Thu, Dec 14, 2000 at 12:21:19PM +0100, Jerome Alet wrote:
a python traceback in there which should provide the information you're looking for...
Great, I missed it.
May I add: "... in an incredibly unreadable and hardly understandable format." ?
Indeed. What am I supposed to do with that? Why is the 'title' property of the object unauthorized? (The object itself is viewable by Anonymous.) The relevant line seems to be: File /usr/lib/python1.5/site-packages/DocumentTemplate/DT_Util.py, line 331, in eval (Object: title != '' and AUTHENTICATED_USER.has_permission('View',_.getitem('id',1))) (Info: title) and the full traceback is: You are not authorized to access <em>title</em>. <!-- Traceback (innermost last): File /usr/lib/python1.5/site-packages/ZPublisher/Publish.py, line 222, in publish_module File /usr/lib/python1.5/site-packages/ZPublisher/Publish.py, line 187, in publish File /usr/lib/python1.5/site-packages/ZPublisher/Publish.py, line 171, in publish File /usr/lib/python1.5/site-packages/ZPublisher/mapply.py, line 160, in mapply (Object: Map) File /usr/lib/python1.5/site-packages/ZPublisher/Publish.py, line 112, in call_object (Object: Map) File /usr/share/zope/lib/python/OFS/DTMLMethod.py, line 172, in __call__ (Object: Map) File /usr/lib/python1.5/site-packages/DocumentTemplate/DT_String.py, line 528, in __call__ (Object: Map) File /usr/lib/python1.5/site-packages/DocumentTemplate/DT_With.py, line 146, in render (Object: aq_parent) File /usr/share/zope/lib/python/OFS/DTMLMethod.py, line 168, in __call__ (Object: recurseFolder) File /usr/lib/python1.5/site-packages/DocumentTemplate/DT_String.py, line 528, in __call__ (Object: recurseFolder) File /usr/lib/python1.5/site-packages/DocumentTemplate/DT_In.py, line 691, in renderwob (Object: objectItems(['Folder'])) File /usr/lib/python1.5/site-packages/DocumentTemplate/DT_Util.py, line 331, in eval (Object: title != '' and AUTHENTICATED_USER.has_permission('View',_.getitem('id',1))) (Info: title) File /usr/share/zope/lib/python/OFS/DTMLMethod.py, line 194, in validate (Object: Map) File /usr/share/zope/lib/python/AccessControl/SecurityManager.py, line 139, in validate File /usr/share/zope/lib/python/AccessControl/ZopeSecurityPolicy.py, line 209, in validate Unauthorized: (see above) --> I had to drop most of my DTML methods for the experimental sites I use to "sell" Zope to other people, they're too hard to use. DTML methods brings me back to sendmail.cf editing: great in theory but only a few people (after an agreement with the devil?) can do what they want with it.
participants (3)
-
Chris Withers -
Jerome Alet -
Stephane Bortzmeyer