[Zope-dev] Re: 2.7rc1 - Unauthorized: You are not allowed to access '' in this context

Tres Seaver tseaver at zope.com
Tue Jan 20 10:34:56 EST 2004


Stuart Bishop wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> In Shared.DC.Scripts.Bindings._getContext(self), there
> seems to be a new security check:
>     getSecurityManager().validate(parent, container, '', self)
> 
> This is now giving me the following traceback:
> 
> Traceback (innermost last):
>   Module ZPublisher.Publish, line 100, in publish
>   Module ZPublisher.mapply, line 88, in mapply
>   Module ZPublisher.Publish, line 40, in call_object
>   Module Products.CGPublisher.storage.Storage, line 911, in editPane
>   Module Shared.DC.Scripts.Bindings, line 261, in __call__
>   Module Shared.DC.Scripts.Bindings, line 292, in _bindAndExec
>   Module Products.PageTemplates.PageTemplateFile, line 106, in _exec
>   Module Products.PageTemplates.PageTemplate, line 90, in pt_render
>    - <PageTemplateFile at 
> /CGPublisher/works/2/5/source/getaway/details/editPaneHelper>
>   Module Products.PageTemplates.PageTemplateFile, line 74, in pt_getContext
>   Module Shared.DC.Scripts.Bindings, line 224, in _getContext
>   Module AccessControl.ImplPython, line 398, in validate
>   Module AccessControl.ImplPython, line 263, in validate
> Unauthorized: You are not allowed to access '' in this context
> 
> 
> editPaneHelper is just a PageTemplateFile. Storage.editPane
> (Python - not Python Script) is calling it like:
>     return self.editPaneHelper(**options)
> 
> 
> Can anyone give me a hint on tracking this down? I have so far been
> unable to write a minimal example that fails (they all work), so I'm
> unsure if this is a Zope problem or my problem.

Zope 2.6.3 added a new security check for untrusted code, to ensure that 
the "bindings" created (in particular, 'context' and 'container') 
weren't set up if the user didn't have access to the bound objects.

You can either:

   - On the template's "Bindings" tab, unbind the 'context' name
    (assuming that your template does not use either 'context' or 'here')

   - Give the template a proxy role of 'Manager'.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com




More information about the Zope-Dev mailing list