[Zope] Access control & Acquisition...

Art Hampton arth@pacsg.css.mot.com
Thu, 24 Feb 2000 10:00:10 -0600 

Jon,

Thanks to your email below, I realized what would solve my own problem.

I'm not sure if this will help you or not, but here goes....

I had a setup like so:

/
+---- acl_users
+---- util
|       +--- (various utilities)
+---- secure
        +--- acl_users
        +--- (various documents)

The top acl_users folder is really only there so that people have to log
in, such that I can show them information customized for them.

The documents in the secure directory use the utilities in util.  But
when acl_users was created in the secure directory, suddenly they
couldn't use the utilities.  This confused me, because everyone had
permission via the top acl_users folder.

Thanks to Jim Fulton's presentation, and your quote from it, I realized
that it didn't matter if they had permissions, the two acl_users folders
just weren't going to play nice.

So I modified the permissions on util such that anyone can view or
access contents information.  Everything is back to working again.

So thanks, and I hope this helped.


Jon Prettyman wrote:
> 
> Given a layout such as this:
> 
> /Control_Panel/Products/UserProperties/UserPropertyClass/
> /nmn/premium/acl_users(GenericUserFolder)/userA(role subscriber)
> /nmn/premium/user_profiles
>             |role subscriber has permission to add UserProperties[s]
>             |role subscriber has permission to View Management Screens
>             |role subscriber has permission to Access contents
> 
> 
> Scenario:
>   anonymous user access /nmn/premium      causes GUF user login
>   logs in as jjp(has role subscriber)     sees /nmn/premium/index_html
>   jjp access /nmn/premium/user_profiles/manage
>                                           sees manage screen with
>                                           [ADD]UserProperties
>   jjp selects [ADD]UserProperties         causes GUF user login screen
>       the log shows that jjp tried to access
> /nmn/Premium/Users/manage_addProduct/UserProperties/UserPropertiesClass_factory
>       and failed with a 500
> Looking at GUF debug messages, it looks like the authentication
> ``crawls'' up and fails at the root.
> 
> After perusing the Acquisition Algebra paper Jim Fulton wrote, I see:
>    Acquisition and Security
> 
>      Based on aq_inner
> 
>      Can't access a protected object unless the user database is a
> common ancestor.
> 
>      Without these rules, it would be possible to "steal" access
> through acquisition.
> 
> Is this second item what is causing me to fail?  If so, any insights
> ino how I can work around it?
> 
> TIA
> -Jon