[Zope-CMF] Unauthorized problem

Tom Bech tom.bech@adcore.no
Fri, 24 Aug 2001 23:35:28 +0200 

Hi!

I'm having a really odd problem with a "unauthorized" exception in a DTML
method I'm writing. The code looks like this (the DTML is called in the
context of a custom written CMF content object):

..
<dtml-let obj="get_object()" url_list="obj.get_url_list()">
  <dtml-in url_list>
    <dtml-let a_url=sequence-item urlobj="obj.get_object_from_url(a_url)">
      Title: <dtml-var "urlobj.title"><br>
    </dtml-let>
  </dtml-in>
</dtml-let>
..

In the obj python class I have:

..
def get_object_from_url(self,url):
    """ doc string """

    from urlparse import urlparse

    path = urlparse(url)[2]

    retobj = self.restrictedTraverse(path)

    print "Id, title:", retobj.id, retobj.title

    return retobj
..

When calling the DTML method, get_object_from_url() returns the expected
result and prints the correct id and title in the log.

Upon returning to the calling DTML method, however, I get an exception
stating "You are not authorized to access urlobj.title" (But if I try
calling "urlobj.getId()", for example, I get no errors).

The exception is raised in the validate() method of
'lib\python\AccessControl\ZopeSecurityPolicy.py', more specifically:

        # We don't want someone to acquire if they can't get an unacquired!
        if accessedbase is containerbase:
-->         raise 'Unauthorized', (
                'You are not authorized to access <em>%s</em>.' \
                % cleanupName(name, value))

So it looks like the accessed object and the container has the same
aq_base at this point..? I've tried printing the aq_chain of the
returned object in get_object_from_url() and it looked correct.
Then I tried reading the documentation on aquisition, but only succeeded
in making myself even more confused :)

What's going on here?

I'm using Zope 2.3.2 with CMF 1.1 and the objects I'm trying to get at
are CMF Files. Oh, btw. I'm am logged in with sufficient permissions
- I can manually access and modify the objects with no problems...
and finally; simply making links of the urls and then clicking on them
brings the expected result (file download dialog).

Tom