[Zope-PAS] Failure authorizing with PlonePAS and pubcookie
Michael Gilbert
mdgilb at u.washington.edu
Tue Feb 13 12:30:05 EST 2007
Hello,
We are currently having problems trying to get authorization working
with Plone 2.5.2, Zope 2.9.6, and Python 2.4.3 using pubcookie and a
multi-plugin to communicate with pubcookie. We've verified that
pubcookie is working properly and that user names are getting passed on
to Zope, but the right roles are not assigned to the deserving users.
Below are the steps to repro the problem:
- Setup Zope instance for pubcookie plugin by following the steps listed
under http://www.washington.edu/webinfo/case/zope/
- Setup two users, one of whom will need Manager privileges under the
root acl_users ([ZopeSiteRoot]/acl_users/roles/manage_workspace), the
second will need Manager privileges under a Plone site
([ZopeSiteRoot]/plone/acl_users/portal_role_manager/manage_workspace).
Users should not be listed under both the root acl_users and the Plone
site acl_users.
* Scenario 1
- Install the PubcookiePAS multiplugin by going to the root
acl_users and clicking Pubcookie PAS Multiplugin from the dropdown menu
and clicking Add.
- Enter in a vaild id and name, along with the valid login page
- Under the acl_users plugins
(acl_users/plugins/manage_workspace), add the PubcookiePAS multiplugin
to each of the Authentication, Challenge, Reset Credentials, and
Extraction plugins.
* Expected behavior:
When the plugin is functioning properly, users should be able to
authenticate via pubcookie, zope admins should be able to modify all
sites, and site admins should be able to modify the sites that they are
have Manager priveleges for.
* Actual behavior:
Zope admins are still able to modify all sites, but site admins
lose all admin privileges for the sites they should be able to edit.
* Scenario 2**
- Instead of adding PubcookiePAS to the root acl_users, go to a
site's acl_users folder and add it there.
- As above, enter in a valid id, name, and login page, and enable
the plugin for Authentication, Challenge, Reset Credentials, and
Extraction plugins.
* Expected behavior:
Same as above - that both site admins and zope admins have full
access to the sites under their control according to the roles given
* Actual behavior:
Site admins are still able to modify their sites and access
[SiteName]/manage, but zope administrators are no longer able to affect
change in the site the PubcookiePAS plugin was installed under.
(**Note: after this is done you'll need to remove the plugin from the
site's acl_users with a manager under this site, since your zope admin
will no longer be able to access it via the zmi. Make sure you have a
site administrator that you have access to before installing the plugin).
We feel that the proper way to install the plugin would be to follow the
steps in scenario 1 - and in fact this at one point worked properly.
We've done some debugging of the issue but have been unable to come up
with a definitive solution, and at the moment I seem to have hit a dead
end in the code... Traversal seems to follow
PluggableAuthService.validate( self, request, auth, roles=_noroles )
-> PluggableAuthService._findUser( plugins, user_id, login, request )
-> ZODBRoleManager.getRolesForPrincipal( user, request )
-> ZODBRoleManager._principal_roles.get( principal.getId(), () )
The final call is on line 95 of ZODBRoleManager and returns an empty
array instead of the Manager role as expected and hoped for. That line is
result = list( self._principal_roles.get( principal.getId(), () ) )
_principal_roles would seem to contain the roles for all users, but
roles are only given for the context the PubcookiePAS is installed in
(the root level acl_users folder). For example, calling
self._principal_roles.get('ValidRootManagerUser')
returns ('Manager', 'Owner'). However, calling
self._principal_roles.get('ValidSiteManagerUser')
returns () - an empty array. The problem would seem to be that when
self._principal_roles is populated it only adds users and roles from the
zope root level acl_users folder, not from any of the nested Plone site
acl_users folders. Unfortunately, I seem to lose the trail about here
and can't find where _principal_roles is definitively set.
I believe the solution should be that
self._principal_roles.get('ValidSiteManagerUser') returns at the very
least ('Manager') - any ideas on how to achieve this?
Thanks,
Michael Gilbert
Software Support Group, University of Washington
More information about the Zope-PAS
mailing list