[Zope] new 2.2.4 security/role bug ?? (ZCatalog related ??)

Didier Georgieff Didier.GEORGIEFF@agriculture.gouv.fr
18 Dec 2000 15:24:49 +0100


Hello,

I'm experimenting some really weird and annoying things since i upgraded 
to 2.2.4 with 12-08 and even with 12-15a hotfix (seems to be ok in 2.2.2) 

For all objects, I can access directly (URL) with no problem (according to 
the roles and the local roles. This is ok).

For some of those objects (seems to be all the one i've added in 2.2.4 in 
folders with local roles) I can't (exeption raise) access the objects while in 
the context of the catalog (those objects are Catalog Aware via Yihaw 
product).

I epurate the method until this minimal test method who still raise the 
exeption 

<dtml-in Catalog>
  <dtml-with "Catalog.getobject(data_record_id_)">
    <a href="&dtml-absolute_url;"><dtml-var title_or_id></a><br>
  </dtml-with>
</dtml-in>

I have a workaround with a <dtml-try> but i miss all the objects, while they 
are fully reachable directly via their URL

The problems seems to be on objects with local roles (anonymous has no 
view, no access content and other roles have this autorisations via local 
roles).

The second weird thing (should help for a diagnostic) is :

While i have  "manager" role (i can do whatever i want on the manage 
interface), i tried to give a proxy role to my test method, to see if i could 
investigate further. 
And trying to change the proxy role raised an execption, despite the fact i 
have manager role with full autorisations.

This last thing makes me think is an acquisition/role/security bug.

Any idea/solution because we offcially open tomorrow morning, and i'm in 
a deep.... well embarassed ;-))

=======> This is the FIRST traceback.
Zope Error

             Zope has encountered an error while publishing this resource. 

             Unauthorized

             You are not authorized to access title_or_id. 

             Traceback (innermost last):
               File /home/georgieff/Zope-2.2.2-
src/lib/python/ZPublisher/Publish.py, line 222, in publish_module
               File /home/georgieff/Zope-2.2.2-
src/lib/python/ZPublisher/Publish.py, line 187, in publish
               File /home/georgieff/Zope-2.2.2-
src/lib/python/ZPublisher/Publish.py, line 171, in publish
               File /home/georgieff/Zope-2.2.2-
src/lib/python/ZPublisher/mapply.py, line 160, in mapply
                 (Object: test_latest)
               File /home/georgieff/Zope-2.2.2-
src/lib/python/ZPublisher/Publish.py, line 112, in call_object
                 (Object: test_latest)
               File /home/georgieff/Zope-2.2.2-
src/lib/python/OFS/DTMLMethod.py, line 172, in __call__
                 (Object: test_latest)
               File /home/georgieff/Zope-2.2.2-
src/lib/python/DocumentTemplate/DT_String.py, line 528, in __call__
                 (Object: test_latest)
               File /home/georgieff/Zope-2.2.2-
src/lib/python/DocumentTemplate/DT_In.py, line 611, in renderwb
                 (Object: Catalog(bobobase_modification_time=ZopeTime()-14,
                   bobobase_modification_time_usage='range:min',
                   sort_on='bobobase_modification_time',
                   sort_order='reverse'))
               File /home/georgieff/Zope-2.2.2-
src/lib/python/DocumentTemplate/DT_With.py, line 146, in render
                 (Object: Catalog.getobject(data_record_id_))
               File /home/georgieff/Zope-2.2.2-
src/lib/python/OFS/DTMLMethod.py, line 194, in validate
                 (Object: test_latest)
               File /home/georgieff/Zope-2.2.2-
src/lib/python/AccessControl/SecurityManager.py, line 139, in validate
               File /home/georgieff/Zope-2.2.2-
src/lib/python/AccessControl/ZopeSecurityPolicy.py, line 209, in validate
             Unauthorized: (see above)


=======> This is the SECOND traceback.

Zope Error

  Zope has encountered an error while publishing this resource. 

  Forbidden

  You are not authorized to change test_latest because you do not have 
proxy roles. 

  Traceback (innermost last):
    File /home/georgieff/Zope-2.2.2-src/lib/python/ZPublisher/Publish.py, 
line 222, in publish_module
    File /home/georgieff/Zope-2.2.2-src/lib/python/ZPublisher/Publish.py, 
line 187, in publish
    File /home/georgieff/Zope-2.2.2-src/lib/python/Zope/__init__.py, line 
221, in zpublisher_exception_hook
      (Object: test_latest)
    File /home/georgieff/Zope-2.2.2-src/lib/python/ZPublisher/Publish.py, 
line 171, in publish
    File /home/georgieff/Zope-2.2.2-src/lib/python/ZPublisher/mapply.py, 
line 160, in mapply
      (Object: manage_proxy)
    File /home/georgieff/Zope-2.2.2-src/lib/python/ZPublisher/Publish.py, 
line 112, in call_object
      (Object: manage_proxy)
    File /home/georgieff/Zope-2.2.2-src/lib/python/OFS/DTMLMethod.py, 
line 278, in manage_proxy
      (Object: test_latest)
    File /home/georgieff/Zope-2.2.2-src/lib/python/OFS/DTMLMethod.py, 
line 271, in _validateProxy
      (Object: test_latest)
  Forbidden: (see above)


--
Didier Georgieff
DDAF du Bas-Rhin - Cellule SIG 
2, rue des Mineurs 67070 Strasbourg Cedex
tél : 03.88.25.20.33 - fax : 03.88.25.20.01
email : didier.georgieff@agriculture.gouv.fr
SIT du Bas-Rhin : http://www.bas-rhin.sit.gouv.fr
GéoWeb http://sertit10.u-strasbg.fr