[Zope] Zope 2.2b2 security conundrum
Bill Anderson
bill@libc.org
Sun, 25 Jun 2000 21:41:36 -0600
"Jay, Dylan" wrote:
>
> I am playing with ZDP-Tools which are ZClassed based. When I try to add a
> new object I get security failure.
>
> <H2>Zope Error</H2>
> <P>Zope has encountered an error while publishing this resource.
> </P>
> <P><STRONG>Unauthorized</STRONG></P>
>
> You are not authorized to access <em>manage_editProperties</em>.
> <!--
> Traceback (innermost last):
> File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 222, in
> publish_module
> File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 187, in
> publish
> File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 171, in
> publish
> File D:\PROGRA~1\Zope22\lib\python\ZPublisher\mapply.py, line 160, in
> mapply
> (Object: FAQQuestionClass_add)
> File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 112, in
> call_object
> (Object: FAQQuestionClass_add)
> File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 168, in
> __call__
> (Object: FAQQuestionClass_add)
> File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line
> 500, in __call__
> (Object: FAQQuestionClass_add)
> File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_With.py, line 146,
> in render
> (Object: FAQQuestionClass.createInObjectManager(REQUEST['id'], REQUEST))
> File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 164, in
> __call__
> (Object: DocumentFolderClass_add_fragment_exec)
> File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line
> 500, in __call__
> (Object: DocumentFolderClass_add_fragment_exec)
> File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 339,
> in eval
> (Object: propertysheets.Info.manage_editProperties(REQUEST))
> (Info: REQUEST)
> File <string>, line 0, in ?
> File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 140,
> in careful_getattr
> File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 187, in
> validate
> (Object: FAQQuestionClass_add)
> File D:\PROGRA~1\Zope22\lib\python\AccessControl\SecurityManager.py, line
> 139, in validate
> File D:\PROGRA~1\Zope22\lib\python\AccessControl\ZopeSecurityPolicy.py,
> line 208, in validate
> Unauthorized: (see above)
>
> I figure this is due to the new security model. The user I am using doesn't
> have Manager privlidges but has permission to add this object. I get the add
> form however when I try to submit the above occurs. I think this might have
> something to do with the ownership of FAQQuestionClass_add. However I can't
> see who owns FAQQuestionClass_add. How is the new security model supposed to
> work with ZClasses and how do I get round this problem so I can give a user
> the ability to add a new object.
Check fo rthe permission "Manage Properties". This one threw me for a
while. I posted this a week or two back, you should be able to find it
in the archives.
This works wehn I call the addForm directly, yet when I use a form local
to the direntoy and s the "<dmtl-with ..." technique from the FAQ As I
use in KnowledgeKit), it doesn't seem happy, requesting authentication
through Basic Auth, as opposed to the Cookie Login form I use currently
(Membership 0.6.0).
I am working on this, and will pst a fix as soon as I have one.