[ZCM] [ZC] 1779/ 8 Comment "workflow script proxy role does not apply"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Fri Aug 12 09:36:09 EDT 2005 

Issue #1779 Update (Comment) "workflow script proxy role does not apply"
 Status Pending, Zope/bug medium
To followup, visit:
  http://www.zope.org/Collectors/Zope/1779

==============================================================
= Comment - Entry #8 by Duncan on Aug 12, 2005 9:35 am


Uploaded:  "test_wfbug.py"
 - http://www.zope.org/Collectors/Zope/1779/test_wfbug.py/view
I finally managed to produce a test case which demonstrates the problem.

The critical thing seems to be that the View permission at the point when the script is invoked must not be inherited.

If you run this test file (in a directory such as CMFPlone/tests) then on my system it comes up with:
Unauthorized: You are not allowed to access 'object' in this context

Either commenting out the line which assigns proxy role to the script or commenting out the sdef.setPermission line will allow the test to pass.
________________________________________
= Comment - Entry #7 by ajung on May 27, 2005 2:41 am

I tried to reproduce this error with Zope 2.7.6, Plone 2.0.5 and PloneCollectorNG where I have some workflow scripts with 'Manager'
as proxy role to send out notification email (required 
when anonymous users file new issues). Unfortunately I could not 
reproduce this behaviour with my setup. 

So the first step to nail this down would be to write 
a unittest that shows the described behaviour. 
________________________________________
= Comment - Entry #6 by ajung on May 21, 2005 1:33 pm

The change in User.py was done based on this:

http://mail.zope.org/pipermail/zope/2005-March/157419.html
________________________________________
= Comment - Entry #5 by efge on May 13, 2005 12:28 pm

See also
http://mail.zope.org/pipermail/zope-cmf/2005-April/022152.html
that reported the problem in the list but never opened a bug.

________________________________________
= Comment - Entry #4 by mcdonc on May 12, 2005 5:38 pm

Tres says that this patch may be the culprit...

http://cvs.zope.org/Zope/lib/python/AccessControl/Attic/User.py.diff?r1=1.176.14.7&r2=1.176.14.8

Zero help in the checkin message for why it was introduced.
________________________________________
= Comment - Entry #3 by mcdonc on May 12, 2005 4:58 pm

Note that we did confirm that the owner of the script existed (we took ownership of the object via another just-created account).
________________________________________
= Comment - Entry #2 by mcdonc on May 12, 2005 4:57 pm

FWIW, I chatted about this in IRC with r33t and it does appear to be some sort of bug.  The same configuration works in 2.7.3 and 2.7.4 but does not work in 2.7.5 and 2.7.6.

The suspicious things in changes.txt for 2.7.5 are:

 - AccessControl/User.py: _check_context() has not been called
   for authenticated users
- guarded_getattr: Restored ability to aquire "through" unprotected
 contexts, broken through overzealous cleanup in Zope 2.7.3.


________________________________________
= Request - Entry #1 by r33t on May 12, 2005 4:39 pm


Uploaded:  "checkTransition.py"
 - http://www.zope.org/Collectors/Zope/1779/checkTransition.py/view
I have a workflow script which runs with proxy 'manager' and I get
the following error (VerboseSecurity):

"The owner of the executing script is defined outside the context of the object being accessed. The script has proxy roles, but they do not apply in this context.. Access to 'new_state' of (Products.DCWorkflow.Expression.StateChangeInfo instance at 0xb5e78aac) denied. Access requires Manage_portal_Permission, granted to the following roles: ['Manager']. The executing script is (PythonScript at /Intranet/portal_workflow/cmfi_workflow/scripts/checkTransition), owned by manager."

The error happens when the script tries to access state_change.new_state. 
state_change.object can be accessed, no problem.
<PythonScript at /Intranet/portal_workflow/cmfi_workflow/scripts/checkTransition>
Line 15
> if state_change.new_state.id == 'pending': 
the complete script is attached, bound names are : context, container, script, traverse_subpath, parameter list: state_change

The user manager (which is the owner) exists in the context (a plone instance). I also tried to take ownership with another user, still the same error. The script worked with Zope-2.7.4-final.

==============================================================

More information about the Zope-Collector-Monitor mailing list