[Zope-CMF] Re: Zope 2.7.5 and proxy role for workflow scripts

Duncan Booth duncan.booth at suttoncourtenay.org.uk
Tue Apr 12 09:38:32 EDT 2005 

Dieter Maurer wrote:

> Sune B. Woeller wrote at 2005-3-30 22:22 +0200:
>> ...
>>The script is set to be called after a transition.
>>
>>Without proxy roles the
>>script runs fine.
>>If this script gets the proxy role manager (or all roles except
>>anonymous), it fails, it has not got access to 'object'.
>> ...
>>Unauthorized: The owner of the executing script is defined outside the
>>context of the object being accessed. 
> 
> A very expressive (and therefore good) error message!
> 
> The (execution) owner of the script is not defined in a user folder
> in one of the ancestors of the script.
> 

A very expressive but not terribly useful error message!

I just had exactly the same error message (except obviously for the script 
name, user name and required roles). In my case the owner of the executing 
script was 'admin' defined in the root acl_users folder for the entire Zope 
instance. There does not appear to be any way to define a user which won't 
give that error.

So far as I can tell, since the security changes in Zope 2.7.5 there is now 
no way for any workflow script which sets proxy roles to access any of the 
fields of the StateChangeInfo object passed to the script as a parameter.

Fortunately there is a workaround, so in case anyone else ends up as I did 
Googling to find the answer, I thought I would follow up to this thread and 
record what I did for posterity:

Split all scripts into two parts: one script which does not have proxy role 
access but can pick the required fields out of the object and call the 
other script; and a second script which does have proxy role access and 
accepts the required fields as parameters.

So, for example, we had a delete_discussions script which needs to lose its 
proxy role and become two scripts:

------ original script delete_discussions with proxy manager role ------
#parameters=review_state
content=review_state.object
if hasattr(content, 'talkback'):
    tb = content.talkback
    replies = tb.getReplies()
    for reply in replies:
        tb.deleteReply(reply.getId())
content.allowDiscussion(0)
return 0

------ new delete_discussions (no proxy roles) ------------
#parameters=review_state
return container.delete_discussions_manager(review_state.object)

---- delete_discussions_manager (proxy manager role) -------
#parameters=content
if hasattr(content, 'talkback'):
    tb = content.talkback
    replies = tb.getReplies()
    for reply in replies:
        tb.deleteReply(reply.getId())
content.allowDiscussion(0)
return 0
------------------------------------------------------------

Sune B. Woeller also wrote:
> Is this a bug in Zope 2.7.5, DCWorkflow, or a 'feature' ?

I'm undecided between bug or 'feature'. One the one hand it is good to 
force you to be clear about which security context you are in at any 
particular time, on the other hand it is downright annoying behaviour and 
I suspect not intentional.

More information about the Zope-CMF mailing list