[Zope] resolve_url and authorization
Toby Dickenson
tdickenson@geminidataloggers.com
Wed, 12 Apr 2000 11:50:52 +0100
On Tue, 11 Apr 2000 17:35:22 -0700, Michel Pelletier
<michel@digicool.com> wrote:
>Ingo Assenmacher wrote:
>>
>> I have a method which searches for objects of certain types with help of
>> an Catalog.
>> I use
>>
>> <dtml-in "Catalog(meta_type='desired_type')">
>> <dtml-with "resolve_url(getpath(data_record_id_), REQUEST)">
>> <dtml-val id>
>> </dtml-with>
>> </dtml-in>
>>
>> And this is what I get IF I AM NOT THE SUPER-USER:
>> Traceback (innermost last):
>> Unauthorized: (see above)
>>
>> I NEED THIS! So, please help!
>
>resolve_url uses the exact same publishing machinery as calling a URL
>through the web; it does _not_ bypass the security machinery. If you do
>not have enough privledge to access to an object, then you will get an
>Unauthorized, just like when you call it through the web.
>
>The user that you are running this query as does not have enough
>privledge to call one of your desired_type objects. The exact object
>that you are unauthorized to see is displayed in the Error Message,
>which you did not include. There is no bug here, this is how it is
>supposed to work. Make sure that the objects that are resolved by this
>query can be viewed by the user who runs the query.
>
>-Michel
Not true!
There is a bug in the Acquisition machinery (scary, but true) see the
following for a description and patch.
http://classic.zope.org:8080/Collector/1066/view
Basically, zope thinks a user has authority over an object if his user
folder is above the object in the acquistion tree. Its gets this wrong
when resolve_url is involved, since that creates a parallel (rather
than nested) acquisition tree
Toby Dickenson
tdickenson@geminidataloggers.com