[Zope] resolve_url and authorization

[Toby Dickenson]

On Tue, 11 Apr 2000 17:35:22 -0700, Michel Pelletier
<michel@digicool.com> wrote:

>Ingo Assenmacher wrote:
>> 
>> I have a method which searches for objects of certain types with help of
>> an Catalog.
>> I use
>> 
>> <dtml-in "Catalog(meta_type='desired_type')">
>>  <dtml-with "resolve_url(getpath(data_record_id_), REQUEST)">
>>   <dtml-val id>
>>  </dtml-with>
>> </dtml-in>
>> 
>> And this is what I get IF I AM NOT THE SUPER-USER:
>> Traceback (innermost last):
>> Unauthorized: (see above)
>> 
>> I NEED THIS! So, please help!
>
>resolve_url uses the exact same publishing machinery as calling a URL
>through the web; it does _not_ bypass the security machinery.  If you do
>not have enough privledge to access to an object, then you will get an
>Unauthorized, just like when you call it through the web.
>
>The user that you are running this query as does not have enough
>privledge to call one of your desired_type objects.  The exact object
>that you are unauthorized to see is displayed in the Error Message,
>which you did not include.  There is no bug here, this is how it is
>supposed to work.  Make sure that the objects that are resolved by this
>query can be viewed by the user who runs the query.
>
>-Michel

Not true!

There is a bug in the Acquisition machinery (scary, but true) see the
following for a description and patch.

http://classic.zope.org:8080/Collector/1066/view

Basically, zope thinks a user has authority over an object if his user
folder is above the object in the acquistion tree. Its gets this wrong
when resolve_url is involved, since that creates a parallel (rather
than nested) acquisition tree


Toby Dickenson
tdickenson@geminidataloggers.com