[ZCM] [ZC] 1610/14 Comment ""Unauthorized" error when accessing setBrowserIdCookieByForce in 2.7.4b1"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Tue Dec 7 10:13:08 EST 2004 

Issue #1610 Update (Comment) ""Unauthorized" error when accessing setBrowserIdCookieByForce in 2.7.4b1"
 Status Pending, Zope/bug medium
To followup, visit:
  http://zope.org/Collectors/Zope/1610

==============================================================
= Comment - Entry #14 by passive on Dec 7, 2004 10:13 am

I tested it with the same Python, and Zope2.7.0, and 2.8.0a1.
I get the same error with 2.7.0, but no error with 2.8.0a1.
So I'm assuming it has to be something in Python2.4.
It's fixed by installing VerboseSecurity, so I assume that the existing security uses some Python features that have changed in 2.4.
I'll look into it, but I don't think I have the expertise to discover the solution to this problem.
________________________________________
= Comment - Entry #13 by passive on Dec 7, 2004 9:57 am

Interesting that you are unable to reproduce it, because I just did.
I did a fresh install of both Python2.4 and Zope 2.7.4 b1 on a seperate system, and got the same thing.
The original system is Red Hat AS2.1, brand new install, hosted by Rackspace. It's using Python2.4 with Mysql-Python 1, and PyXML (0.8?) installed.
The secondary system is Red Hat 7.2, fairly old install, using Python2.4 without anything extra installed. Also has many other versions of Python and Zope. I will try running a couple other versions of Zope with this Python, and see what happens.
________________________________________
= Comment - Entry #12 by ajung on Dec 7, 2004 12:47 am

And btw. your testcase is make no sense because methods
like getBrowserId are always *called* by using parentheses

-aj
________________________________________
= Comment - Entry #11 by ajung on Dec 7, 2004 12:45 am

Sorry, not reproducable (even not with Python 2.4 which is *unsupported*)
________________________________________
= Comment - Entry #10 by passive on Dec 6, 2004 4:55 pm

Ok, I did a fresh install, just for the purpose of displaying this.
Here's the commands I used:

./configure --with-python=/usr/local/bin/python2.4 --prefix=/home/zope/ZopeTest2.7.4
make
make install
/home/zope/ZopeTest2.7.4/bin/mkzopeinstance.py
[input "/home/zope/secondary2.7" as instance directory]
[input username and password]
[edited "/home/zope/secondary2.7/etc/zope.conf" to change port-base to 1000]
/home/zope/secondary2.7/bin/runzope &

Logged into ZMI(http://*.*.*.*:9080/manage), created "test_session.py", and inserted following code:

container.browser_id_manager.getBrowserId

Accessed http://*.*.*.*:9080/test_session.py:

Error Type: Unauthorized
Error Value: You are not allowed to access 'getBrowserId' in this context

Is there any other information I can provide about my setup that would be useful?
________________________________________
= Comment - Entry #9 by ajung on Dec 6, 2004 3:42 pm

Please provide a reproducable testcase that show the behaviour
you described with a bare Zope installation otherwise this
issue is a candidate for a rejection.
________________________________________
= Comment - Entry #8 by passive on Dec 6, 2004 3:26 pm

Interestingly enough, you solved my problem.
I installed VerboseSecurity, and it worked. Simple as that.

This makes me quite curious.
________________________________________
= Comment - Entry #7 by efge on Dec 6, 2004 3:15 pm

Install VerboseSecurity and find out why you don't have the permission you think you have.

________________________________________
= Comment - Entry #6 by passive on Dec 6, 2004 2:10 pm

I'm not sure what it is with my installation. I'll install Python 2.3.4 and set up Zope again. I can't imagine what else it would be. 

I've reduced the problem to the following python script:

container.browser_id_manager.getBrowserId (or any other method that requires "Access Contents Information")

________________________________________
= Comment - Entry #5 by ajung on Dec 6, 2004 1:53 pm

This works for me perfectly. When I revoke the permission for Anonymous then the security machinery and slaps me with an Unauthorized exception as expected.
Your issue is 99% a problem of your installation and not a
Zope core bug.

________________________________________
= Comment - Entry #4 by passive on Dec 6, 2004 1:26 pm

Possibly this is due to my poor understanding of Zope security mechanisms, but simply as a test, I granted "Access contents information" on Browser Id Manager to every user, and continued to get the error. To take it a little further, I granted every permission on Browser Id Manager to every user, and continued to get the error.
So in my mind, this is still an issue that needs to be addressed.

Thanks,

Alec Munro
________________________________________
= Comment - Entry #3 by passive on Dec 5, 2004 8:35 am

I suspect you are correct, but the question is why it worked before (was it a bug then?). I'm also entirely unsure where I should grant such permissions, or whether that would be desirable.
________________________________________
= Comment - Entry #2 by ajung on Dec 5, 2004 7:04 am

The BrowserIdManager code is untouched since one year. The corresponding method is protect with "Access contents information".
If you don't have the permission, you can't access the method.
Does not look like an error to me.
________________________________________
= Request - Entry #1 by passive on Dec 4, 2004 9:48 pm

I'm attempting to maintain a session between a secure domain and an insecure one, using the following code:

if request.form.has_key("_ZopeId"):
    browser_man = session.getBrowserIdManager()
    browser_man.setBrowserIdCookieByForce(request.form['_ZopeId'])

"_ZopeId" is the contents of SESSION.token. This worked in 2.7.3.
Traceback is:

Traceback (innermost last):
  Module ZPublisher.Publish, line 101, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 39, in call_object
  Module Shared.DC.Scripts.Bindings, line 306, in __call__
  Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec
  Module Products.PythonScripts.PythonScript, line 323, in _exec
  Module None, line 6, in view_order
   - <PythonScript at /pmdw/p_comp/order_form/view_order>
   - Line 6
Unauthorized: You are not allowed to access 'setBrowserIdCookieByForce' in this context
==============================================================

More information about the Zope-Collector-Monitor mailing list