[Zope] Strange behaviour on authorization
Casey Duncan
casey.duncan@state.co.us
Mon, 21 Aug 2000 09:02:59 -0600
The fact that your external method returns a class instance explains why it
fails where it does instead of in the dtml-let statement. It looks as though
Zope is allowing the object to be returned, but balking when you try to
access it. I think I will need to see exactly what your external method and
the returned object are doing before I can try explaining this behavior.
-Casey Duncan
-----Original Message-----
From: Jarkko Veijalainen [mailto:Jarkko.Veijalainen@tecnomen.fi]
Sent: Monday, August 21, 2000 1:17 AM
To: 'casey.duncan@state.co.us'
Cc: 'zope@zope.org'
Subject: RE: [Zope] Strange behaviour on authorization
now, i have defined same owner to every document in that folder, but it
did'nt help me.
I cranked litle bit my pages and discovered little more where is the
problem. Problem isn't POSTING data, it's the return value that Zope doesn't
want to publish.
<clip>
<font face="Verdana, Arial" color="#ffffff">
<dtml-let resDTML="Imap('Authentication',REQUEST,1)">
<h2>User <dtml-var "resDTML.cn"> <dtml-var title_or_id></h2>
</font>
<FORM ACTION="email_headers" METHOD="POST" >
</TD><TD><font color="#000000" face="Verdana, Arial, Helvetica"
size="1"><dtml-var "resDTML.account"> </TD>
</clip>
Problem tag is <dtml-var "resDTML.cn"> that that causes following traceback,
when i remove this tag. Traceback bugs me about Unauthorized: account, which
is 2nd value from external methods returned object resDTML.
So problem is publishing contest of resDTML called in <DTML-LET>-tags. This
don't make any sense if i have to validate every return value from external
method, it's just unacceptable. In external method, i have simple class and
instance of that class is return value of method. I repeat this again, ALL
THIS THINGS DID work with Zope 2.1.6. How can i fix this?
Traceback (innermost last):
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 222,
in publish_module
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 187,
in publish
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 171,
in publish
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/mapply.py, line 160, in
mapply
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 112,
in call_object
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLDocument.py, line 171, in
__call__
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_String.py,
line 502, in __call__
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Let.py, line
147, in render
(Object: resDTML="Imap('Authentication',REQUEST,1)")
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
337, in eval
(Object: resDTML.cn)
(Info: resDTML)
File <string>, line 0, in ?
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
142, in careful_getattr
File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLMethod.py, line 194, in
validate
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/AccessControl/SecurityManager.py,
line 139, in validate
File
/usr/local/Zope-2.2.0/lib/python/AccessControl/ZopeSecurityPolicy.py, line
159, in validate
Unauthorized: cn
jarkkov
> try so POST data to email_headers with login form, popups Authorization
> failed window. I have tried to use my manager and superuser name and same
> values that i submitted, but nothing is accepted to auth. window.
...
> so i have authenticated user and i still can't login. All these documents
> work like they're supposed to in Zope 2.1.6, but not anymore when i
> installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate
> 'cn', which is value that i submit to another document.
>
> What went wrong here and how i fix this problem?
Aha, it worked in 2.1.6 eh? That's the tip off. A *major* change between
2.1.x and 2.2.x is in the security dept. 2.2.x runs all methods using the
security level of the _owner_ of the method, regardless of whether this is a
lower or higher level than the currently authenticated user. My guess is
that your method has no owner (which is what pre-2.2.x objects default to
when run under 2.2.x). This means it is running as anonymous which does not
have rights to do what you want. Specify an owner for the method that has
sufficient rights to do what you want and try it again.