[Zope] Access control & Acquisition...
Jon Prettyman
jprettyman@acm.org
22 Feb 2000 20:53:45 -0800
Given a layout such as this:
/Control_Panel/Products/UserProperties/UserPropertyClass/
/nmn/premium/acl_users(GenericUserFolder)/userA(role subscriber)
/nmn/premium/user_profiles
|role subscriber has permission to add UserProperties[s]
|role subscriber has permission to View Management Screens
|role subscriber has permission to Access contents
Scenario:
anonymous user access /nmn/premium causes GUF user login
logs in as jjp(has role subscriber) sees /nmn/premium/index_html
jjp access /nmn/premium/user_profiles/manage
sees manage screen with
[ADD]UserProperties
jjp selects [ADD]UserProperties causes GUF user login screen
the log shows that jjp tried to access
/nmn/Premium/Users/manage_addProduct/UserProperties/UserPropertiesClass_factory
and failed with a 500
Looking at GUF debug messages, it looks like the authentication
``crawls'' up and fails at the root.
After perusing the Acquisition Algebra paper Jim Fulton wrote, I see:
Acquisition and Security
Based on aq_inner
Can't access a protected object unless the user database is a
common ancestor.
Without these rules, it would be possible to "steal" access
through acquisition.
Is this second item what is causing me to fail? If so, any insights
ino how I can work around it?
TIA
-Jon