[Zope-dev] fixing security problems HOW?
Dieter Maurer
dieter@handshake.de
Wed, 29 Nov 2000 00:16:43 +0100 (CET)
Robin Becker writes:
> How can I find out exactly what is causing my security permissioning to
> fail.
>
> I have put extra stuff into ZPublisher\BaseRequest.py at line 463 so I
> know that I'm failing on
>
> UnauthorizedYou are not authorized to access this resource.
> URL='http://192.168.0.4:7080/live/index_html' No Authorization header
> found.
>
> I am an anonymous user. Even when I make /live have the same permissions
> as the manager I can't make it work. index_html is a dtml method of the
> class of which live is an instance.
>
> How can I figure out what is blocking the anonymous access.
The URL traversal in "ZPublisher.BaseRequest.traverse"
led to a "roles" assignment with a non-"None" value.
This triggers authentication checking.
Annonymous did not have one of the necessary roles.
I would probably check, what "roles" are determined during
traversal.
Apparently, your "live" is a Z instance.
It is quite easy to forget the ZClass permission mapping
(or get it wrong). This may lead to strange permission
problems.
Dieter