[ZCM] [ZC] 78/ 8 Comment ""mange_pasteObjects" does not look for proxy roles"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin@zope.org
Fri, 17 Jan 2003 17:32:59 -0500 

Issue #78 Update (Comment) ""mange_pasteObjects" does not look for proxy roles"
 Status Pending, Zope/bug medium
To followup, visit:
  http://collector.zope.org/Zope/78

==============================================================
= Comment - Entry #8 by slchorne on Jan 17, 2003 5:32 pm

manage_renameObject() has the same problem.

Is there any sort of workaround ??
________________________________________
= Comment - Entry #7 by mjablonski on Jan 14, 2003 5:22 am

The error still occurs under 2.6-Head. Script has proxy-role for manager and is called by anonymous:

id='foo'
clip=context.manage_copyObjects([id])
context.manage_pasteObjects(cb_copy_data=clip)

Error-message:

"The action against the id object could not be carried out. One of the following constraints caused the problem: 

The object does not support this operation.

 -- OR --

The currently logged-in user does not have the Copy or Move permission respective to the object. "

"You are not authorized to access this resource."

________________________________________
= Comment - Entry #6 by mcdonc on Dec 16, 2002 2:23 pm

Does this still happen under 2.6.X?
________________________________________
= Unrestrict_pending - Entry #5 by mcdonc on Dec 16, 2002 2:22 pm

 Triggered by security_related toggle.
________________________________________
= Edit - Entry #4 by mcdonc on Dec 16, 2002 2:22 pm

 Changes: submitter email, security_related unset, new comment

This bug is not really a security "hole" so it's not necessary to make it confidential.
________________________________________
= Restrict_pending - Entry #3 by klm on Dec 7, 2001 12:58 pm

 Triggered by security_related toggle.
________________________________________
= Edit - Entry #2 by klm on Dec 7, 2001 12:58 pm

 Changes: security_related set, new comment

Chris originally meant for this to be marked as security-related, so i'm doing so (and exercising the edit transition with security-related setting).
________________________________________
= Request - Entry #1 by chrisdeckard on Dec 7, 2001 12:31 pm

Issue better defined at the following link.  In short, when
manage_pasteObjects() is called from a proxied script in a context
where the logged in user doesn't have ownership, manage_pasteObjects
raises and Unauthorized exception.

http://lists.zope.org/pipermail/zope/2001-December/105141.html

-Chris
==============================================================