[Zope] resolve_url and authorization

Michel Pelletier michel@digicool.com
Tue, 11 Apr 2000 17:35:22 -0700


Ingo Assenmacher wrote:
> 
> I have a method which searches for objects of certain types with help of
> an Catalog.
> I use
> 
> <dtml-in "Catalog(meta_type='desired_type')">
>  <dtml-with "resolve_url(getpath(data_record_id_), REQUEST)">
>   <dtml-val id>
>  </dtml-with>
> </dtml-in>
> 
> And this is what I get IF I AM NOT THE SUPER-USER:
> Traceback (innermost last):
> Unauthorized: (see above)
> 
> I NEED THIS! So, please help!

resolve_url uses the exact same publishing machinery as calling a URL
through the web; it does _not_ bypass the security machinery.  If you do
not have enough privledge to access to an object, then you will get an
Unauthorized, just like when you call it through the web.

The user that you are running this query as does not have enough
privledge to call one of your desired_type objects.  The exact object
that you are unauthorized to see is displayed in the Error Message,
which you did not include.  There is no bug here, this is how it is
supposed to work.  Make sure that the objects that are resolved by this
query can be viewed by the user who runs the query.

-Michel