[ZCM] [ZC] 1756/ 1 Request "Unexpected authorization failure during traversal"

Thu Apr 14 08:03:38 EDT 2005

Issue #1756 Update (Request) "Unexpected authorization failure during traversal"
 Status Pending, Zope/bug+solution medium
To followup, visit:
  http://www.zope.org/Collectors/Zope/1756

==============================================================
= Request - Entry #1 by bierce on Apr 14, 2005 8:03 am

CHANGES.txt in Zope 2.7.5 final (2005/03/20), contains the following entry:

  * AccessControl/User.py: _check_context() has not been 
    called for authenticated users.

The corresponding change produces unexpected authorization failure during traversal.  Code which ran without error under previous versions of Zope fails under 2.7.5-final.

The behavior can be reproduced as follows:

 1. Install Zope-2.7.5-final and bring up an instance
    with default settings;

 2. Create a folder and subfolder, "/a/b".

 3. Create a user folder acl_users at top level,
    and create a user User1 in it.

 3. Place a method "m1" at top level, which accesses
    properties of its context.

 4. In the securities tab, make the following two changes:

    - Deny the View permission the the Anonymous role;
      and

    - Explicitly grant all permissions to Authenticated,
      including View.

 5. Log in as User1.

 5. Access the following path: /a/b/m1

 6. The result on our installation of 2.7.5-final is
    an authentication error:

      You are not authorized to access this resource
      Username and password are not correct. (Also, an
      error occurred while attempting to render the 
      standard error message.)

This does not seem to be correct behavior.  Zope versions prior to 2.7.5-final run this case without error.

The Japanese colleague on whose behalf I am filing this issue (Tokuyasu Kakuta) suggests unwinding the change by replacing lines 185 and 186 in Users.py with "            return 1".  This restores the previous behavior.

==============================================================