[Zope] CopySupport methods permissions - do they make sense?
Dave Parker
dparker@globalcrossing.com
Thu, 04 Nov 1999 14:00:39 -0600
David Kankiewicz wrote:
> > I'm probably getting loopy, but I can't figure out how to set things up
> > such that an anonymous user could copy or clone or rename anything,
> > period - it's feels like the logic is coded in such a way that it just
> > isn't possible (for anonymous). Could anyone come up with a simple
> > working example of this that does *not* require "View management
> > screens" be turned on in both the source and target folders??? It
> > *should* be simple.
> >
>
> What I gave you should work with only the "method" having "View
> management screens"..
Yup, it should, but it doesn't (even tried doing proxy Manager on the
method). I think something is really honestly broken here. There's a
blurb in the CopySupport module that refers to the fact that the various
copy methods do their own security, and you can see it in
_verifyObjectPaste().
In particular, the statement:
(CopySupport.py)
362 if (not hasattr(user, 'has_role') or
363 not user.has_role(roles, self)):
364 raise 'Unauthorized', (
365 """You are not authorized to perform this
366 operation."""
367 )
(and the fact that I get stopped here all the time) suggests that it is
currently impossible for a user that does not have some role or another
to actually perform a copy. Proxy roles don't seem to get past this, and
I don't know of a way to assign a role (temporary or otherwise) to an
anonymous user.
In short, I suspect that this logic is what's messing things up, and I'm
not certain why it's there in the first place. Most other stuff lets
some other lower-level Zope stuff deals with permissions automagically.
It doesn't make obvious sense that permission logic should have to be
re-coded here.
At this point I've worked around the problem, but I'll probably re-visit
it later.
Thanks again for your time!!