[Zope] Zope 2.2b2 security conundrum

Jay, Dylan djay@lucent.com
Mon, 26 Jun 2000 11:15:06 +1000 

I am playing with ZDP-Tools which are ZClassed based. When I try to add a
new object I get security failure.


  <H2>Zope Error</H2>
  <P>Zope has encountered an error while publishing this resource.
  </P>
  <P><STRONG>Unauthorized</STRONG></P>
  
  You are not authorized to access <em>manage_editProperties</em>.
<!--
Traceback (innermost last):
  File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 222, in
publish_module
  File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 187, in
publish
  File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 171, in
publish
  File D:\PROGRA~1\Zope22\lib\python\ZPublisher\mapply.py, line 160, in
mapply
    (Object: FAQQuestionClass_add)
  File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 112, in
call_object
    (Object: FAQQuestionClass_add)
  File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 168, in
__call__
    (Object: FAQQuestionClass_add)
  File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line
500, in __call__
    (Object: FAQQuestionClass_add)
  File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_With.py, line 146,
in render
    (Object: FAQQuestionClass.createInObjectManager(REQUEST['id'], REQUEST))
  File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 164, in
__call__
    (Object: DocumentFolderClass_add_fragment_exec)
  File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line
500, in __call__
    (Object: DocumentFolderClass_add_fragment_exec)
  File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 339,
in eval
    (Object: propertysheets.Info.manage_editProperties(REQUEST))
    (Info: REQUEST)
  File &lt;string&gt;, line 0, in ?
  File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 140,
in careful_getattr
  File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 187, in
validate
    (Object: FAQQuestionClass_add)
  File D:\PROGRA~1\Zope22\lib\python\AccessControl\SecurityManager.py, line
139, in validate
  File D:\PROGRA~1\Zope22\lib\python\AccessControl\ZopeSecurityPolicy.py,
line 208, in validate
Unauthorized: (see above)

I figure this is due to the new security model. The user I am using doesn't
have Manager privlidges but has permission to add this object. I get the add
form however when I try to submit the above occurs. I think this might have
something to do with the ownership of FAQQuestionClass_add. However I can't
see who owns FAQQuestionClass_add. How is the new security model supposed to
work with ZClasses and how do I get round this problem so I can give a user
the ability to add a new object.