[Zope-PAS] AW: Re: Strange authorization problems in subfolders
under PAS
bernd.grobauer at krakel.de
bernd.grobauer at krakel.de
Wed Nov 23 04:51:03 EST 2005
Hi,
>The user's ID is probably 'auth_zopeadmin', while the login name is
>'zopeadmin'; this assumes that your user source (a ZODBUserManager?)
>uses the prefix, 'auth'. If you show 'user/getId', is it 'auth_zopeadmin'?
You were right: the UserId is 'auth__zopeadmin' -- and the name of
our scriptable plugin is 'auth' -- I guess that is where it inherits
the 'auth' from. I redid the experiments:
- calling 'index_html' in the same folder as the PAS-user-folder is
located works also if index_html has owner 'auth__zopeadmin'
- calling 'index_html' owned by 'auth__zopeadmin' when located in
a folder somewhere under the
PAS-user-folder in the hierarchy gives the following error message:
Error Type: Unauthorized
Error Value: The owner of the executing script does not have the required
permission. Access to 'meta_type' of (PythonScript at
/test/subfolder/index_html) denied. Access requires View_Permission,
granted to the following roles: ['Authenticated', 'Manager', 'Owner'].
The executing script is (PythonScript at
/test/subfolder/index_html), owned by Anonymous User,
who has the roles ['Anonymous'].
The same happens if I set the proxy-role of the script to, say 'Manager'.
I guess I could just solve my problem by granting View to 'Anonymous',
but there is obviously something fundamental I do not understand:
- why do objects in subfolders react differently?
- how does the 'old' Zope authenication with the regular 'userfolder'
at top level and PAS users? For the user itself, it does not
matter if he has a funny id such as 'auth__zopeadmin', becaus I can
grant roles to him no matter what the name is via PAS. But what about
scripts and their owners?
Best regards,
Bernd
More information about the Zope-PAS
mailing list