[Zope] "Access contents information" and SQL Methods; bug?

Alexander Staubo alex@mop.no
Mon, 26 Jul 1999 03:27:24 +0200 

I have an interesting problem with a part of a site that needs to be
limited to privileged editors. Let's call this role "Editor". The
problem is, unless I give the "Access contents information" permission
to the "Anonymous" role, SQL Method calls are not permitted, even if I
give _all_ permissions to the "Editor" role.

It's that curious? <!--#var AUTHENTICATED_USER--> equals to my editor
user (defined in folder somewhere above the restricted folder), and
<!--#var "AUTHENTICATED_USER.getRoles()"--> gives me ['Editor']. Btw,
I've disabled acquisiton of permissions on the restricted folder.

Unless I give "Access contents information" to "Anonymous", the
following traceback is emitted when authentication fails:

Error Type: Unauthorized
Error Value: 0
[...]
Traceback (innermost last):
  File /usr/src/Zope-2.0.0b1-src/lib/python/ZPublisher/Publish.py, line
256, in publish_module
  File /usr/src/Zope-2.0.0b1-src/lib/python/ZPublisher/Publish.py, line
161, in publish
  File /usr/src/Zope-2.0.0b1-src/lib/python/ZPublisher/mapply.py, line
154, in mapply
    (Object: index_html)
  File /usr/src/Zope-2.0.0b1-src/lib/python/ZPublisher/Publish.py, line
98, in call_object
    (Object: index_html)
  File /usr/src/Zope-2.0.0b1-src/lib/python/OFS/DTMLDocument.py, line
171, in __call__
    (Object: index_html)
  File /usr/src/Zope-2.0.0b1-src/lib/python/OFS/DTMLDocument.py, line
166, in __call__
    (Object: index_html)
  File
/usr/src/Zope-2.0.0b1-src/lib/python/DocumentTemplate/DT_String.py, line
502, in __call__
    (Object: index_html)
  File /usr/src/Zope-2.0.0b1-src/lib/python/DocumentTemplate/DT_In.py,
line 680, in renderwob
    (Object: SqlTest)
Unauthorized: (see above)

I experienced the same error with 1.11.0pr1, but I chose not to report
it but rather wait until 2.0 to test it out. I've tried setting up a
test folder in case it was caused by something in my site; same
behaviour.

The problem only applies to SQL Methods -- any other permission with any
other object/op seems to work as expected.

For now, I'll enable "Access contents information" for the "Anonymous"
role, but in the long run I feel this is a bad solution.

-- 
Alexander Staubo             http://www.mop.no/~alex/
"QED?" said Russell.
"It's Latin," said Morgan. "It means, So there you bastard."
--Robert Rankin, _Nostramadus Ate My Hamster_