[Zope-dev] problems with webdav MOVE and COPY
Tres Seaver
tseaver@digicool.com
Sat, 09 Dec 2000 11:38:31 -0500
Joseph Wayne Norton <norton@alum.mit.edu> wrote:
> I tried to use some of the webdav functions in zope but ran
> into some trouble with the MOVE and COPY operations. One issue
> seems to be that the method "getSecurityManager" is not
> imported into the file zope-2.2/lib/python/webdav/Resource.py.
>
> def dav__validate(self, object, methodname, REQUEST):
> msg='<strong>You are not authorized to access this resource.</strong>'
> method=None
> if hasattr(object, methodname):
> method=getattr(object, methodname)
> else:
> try: method=object.aq_acquire(methodname)
> except: method=None
>
> if method is not None:
> --> try: return getSecurityManager().validateValue(method)
This is definitely a bug, with a simple fix::
Index: Resource.py
===================================================================
RCS file: /cvs-repository/Zope2/lib/python/webdav/Resource.py,v
retrieving revision 1.33
diff -u -r1.33 Resource.py
--- Resource.py 2000/07/12 17:06:52 1.33
+++ Resource.py 2000/12/09 16:24:28
@@ -90,6 +90,7 @@
import sys, os, string, mimetypes, davcmds, ExtensionClass
from common import absattr, aq_base, urlfix, rfc1123_date
from urllib import quote, unquote
+from AccessControl.SecurityManagement import getSecurityManager
import Globals, time
class Resource(ExtensionClass.Base):
> except: pass
>
> raise 'Unauthorized', msg
>
> Secondly, the method try: parent._verifyObjectPaste(self) is
> failing even though the user is authenticated as a manager. For
> example,
>
> try: parent._checkId(name, allow_dup=1)
> except: raise 'Forbidden', sys.exc_info()[1]
> --> try: parent._verifyObjectPaste(self)
> except: raise 'Forbidden', sys.exc_info()[1]
The implementaton of 'OFS.CopySupport._verifyObjectPaste()' has
some warts; in particular, its checks (that the user could create
an object of the given type at the "paste location", and that the
user has access to the original object) are a bit fragile. One
of the fragilities is resolved by a fix which went into Zope
2.2.3; are you perhaps running an earlier version?
I just played around with cadaver (a Unix command-line WebDAV client):
* Before authenticating, 'copy foo foo.copytest' fails with
'403: Forbidden', which somehow doesn't trigger authentication.
* 'move foo foo.movetest' triggers authentication, and then
succeeds.
* 'copy foo.movetest foo' then works.
I can't explain this behavior at the moment :)
>
> Lastly, where are properties that can be set and put using
> webdav. Are these object attributes? I was expecting to see
> this properties show up in the "Properties" tab for a folder,
> for a dtml document etc. but they did not show up.
Zope's WebDAV implementation exposes the "standard" WebDAV
properties, plus the "default" Zope properties ('title'), as
so::
[/usr/local/zope/Zope2_webdav/lib/python] $ python
Python 1.5.2 (#1, Feb 1 2000, 16:32:16) [GCC egcs-2.91.66
19990314/Linux (egcs- on linux-i386
Copyright 1991-1995 Stichting Mathematisch Centrum, Amsterdam
>>> import Zope
>>> Zope.debug( '/hookable_PUT', request_method='PROPFIND' )
^D
Status: 207 Multi-Status
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
Ms-Author-Via: DAV
Content-Type: text/xml; charset="utf-8"
Content-Length: 1824
Date: Sat, 09 Dec 2000 16:25:08 GMT
Content-Location: http://127.0.0.1/Zope/hookable_PUT/
Connection: close
<?xml version="1.0" encoding="utf-8"?>
<d:multistatus xmlns:d="DAV:">
<d:response>
<d:href>/Zope/hookable_PUT/</d:href>
<d:propstat xmlns:n="http://www.zope.org/propsets/default">
<d:prop>
<n:title>Test Hookable PUT Implementation</n:title>
</d:prop>
<d:status>HTTP/1.1 200 OK</d:status>
</d:propstat>
<d:propstat xmlns:n="DAV:">
<d:prop>
<n:creationdate></n:creationdate>
<n:displayname>hookable_PUT</n:displayname>
<n:resourcetype><n:collection/></n:resourcetype>
<n:getlastmodified>Thu, 07 Dec 2000 16:26:41 GMT</n:getlastmodified>
<n:getcontenttype></n:getcontenttype>
<n:getcontentlength></n:getcontentlength>
<n:source></n:source>
</d:prop>
<d:status>HTTP/1.1 200 OK</d:status>
</d:propstat>
</d:response>
<d:response>
<d:href>/Zope/hookable_PUT/PUT_factory</d:href>
<d:propstat xmlns:n="DAV:">
<d:prop>
<n:creationdate></n:creationdate>
<n:displayname>PUT_factory</n:displayname>
<n:resourcetype></n:resourcetype>
<n:getlastmodified>Thu, 07 Dec 2000 15:44:08 GMT</n:getlastmodified>
<n:getcontenttype></n:getcontenttype>
<n:getcontentlength></n:getcontentlength>
<n:source></n:source>
</d:prop>
<d:status>HTTP/1.1 200 OK</d:status>
</d:propstat>
</d:response>
<d:response>
<d:href>/Zope/hookable_PUT/README</d:href>
<d:propstat xmlns:n="DAV:">
<d:prop>
<n:creationdate></n:creationdate>
<n:displayname>README</n:displayname>
<n:resourcetype></n:resourcetype>
<n:getlastmodified>Thu, 07 Dec 2000 16:26:41 GMT</n:getlastmodified>
<n:getcontenttype></n:getcontenttype>
<n:getcontentlength>615</n:getcontentlength>
<n:source>
<n:link>
<n:src>/Zope/hookable_PUT/README</n:src>
<n:dst>/Zope/hookable_PUT/README/document_src</n:dst>
</n:link>
</n:source>
</d:prop>
<d:status>HTTP/1.1 200 OK</d:status>
</d:propstat>
</d:response>
</d:multistatus>
WebDAV clients (e.g., GoLive) can attach their own properties to
Zope objects; Zope objects which want to expose other
propertysheets have to do some extra work.
Tres.
--
===============================================================
Tres Seaver tseaver@digicool.com
Digital Creations "Zope Dealers" http://www.zope.org