[Zope-dev] Authentification bug in 2.6.4

[Dieter Maurer]

Frederic de Zorzi wrote at 2005-1-7 21:51 +0100:
>After disabling Anonymous access in "Wedbav Access" permission on root 
>folder, I've lost all non-Manager accesses in 2.6.4 servers :
>
>Each time I try to access a restricted page (anonymous access works), 
>I have the folowing :
>
>Traceback (innermost last):
>  Module ZPublisher.Publish, line 89, in publish
>  Module ZPublisher.BaseRequest, line 438, in traverse
>  Module ZPublisher.HTTPResponse, line 663, in unauthorized	
>Unauthorized: <strong>You are not authorized to access this resource.</strong>
>
>I've reactivated anonymous access for webdav, same thing. This happens with our
>4 zope servers (debian woody, zope 2.6.4, python 2.1) :(((

Almost surely, this has nothing to do with your "webdav" access
permission.

When you look at the code near line 663 of
".../ZPublisher.BaseRequest.py" you will probably see
something like:

            if user is None and roles != UNSPECIFIED_ROLES:
                response.unauthorized()

If this is the case (I am not sure as my Zope version is much more
modern than yours ;-) ), then this means:

  *  you try to access a protected object ("roles != UNSPECIFIED_ROLES")

  *  the user folder was not able to authenticate a user
     with the required roles ("user is None").

You should log in as "Emergency User" (Howto on Zope.org)
and analyse your user folder.

If this does not reveal a problem, then maybe the necessary
roles have been erroneously determined. Long ago (much before
Zope 2.6), I have seen security settings disappearing (twice,
not reproducible, unexplained). Check especially the "security" tab
of the "Root Folder" (again as EmergencyUser) that it grants
all permissions to "Manager".

-- 
Dieter