[Zope] Zope 2.2b2 security conundrum

Jay, Dylan djay@lucent.com
Mon, 26 Jun 2000 16:01:52 +1000


> -----Original Message-----
> From: Bill Anderson [mailto:bill@libc.org]
> Sent: Monday, June 26, 2000 1:42 PM
> To: Jay, Dylan
> Cc: 'zope@zope.org'
> Subject: Re: [Zope] Zope 2.2b2 security conundrum
> 
> 
> "Jay, Dylan" wrote:
> > 
> > I am playing with ZDP-Tools which are ZClassed based. When 
> I try to add a
> > new object I get security failure.
> > 
> >   <H2>Zope Error</H2>
> >   <P>Zope has encountered an error while publishing this resource.
> >   </P>
> >   <P><STRONG>Unauthorized</STRONG></P>
> > 
> >   You are not authorized to access <em>manage_editProperties</em>.
> > <!--
> > Traceback (innermost last):
> >   File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, 
> line 222, in
> > publish_module
> >   File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, 
> line 187, in
> > publish
> >   File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, 
> line 171, in
> > publish
> >   File D:\PROGRA~1\Zope22\lib\python\ZPublisher\mapply.py, 
> line 160, in
> > mapply
> >     (Object: FAQQuestionClass_add)
> >   File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, 
> line 112, in
> > call_object
> >     (Object: FAQQuestionClass_add)
> >   File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 168, in
> > __call__
> >     (Object: FAQQuestionClass_add)
> >   File 
> D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line
> > 500, in __call__
> >     (Object: FAQQuestionClass_add)
> >   File 
> D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_With.py, line 146,
> > in render
> >     (Object: 
> FAQQuestionClass.createInObjectManager(REQUEST['id'], REQUEST))
> >   File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 164, in
> > __call__
> >     (Object: DocumentFolderClass_add_fragment_exec)
> >   File 
> D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line
> > 500, in __call__
> >     (Object: DocumentFolderClass_add_fragment_exec)
> >   File 
> D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 339,
> > in eval
> >     (Object: propertysheets.Info.manage_editProperties(REQUEST))
> >     (Info: REQUEST)
> >   File &lt;string&gt;, line 0, in ?
> >   File 
> D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 140,
> > in careful_getattr
> >   File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 187, in
> > validate
> >     (Object: FAQQuestionClass_add)
> >   File 
> D:\PROGRA~1\Zope22\lib\python\AccessControl\SecurityManager.py, line
> > 139, in validate
> >   File 
> D:\PROGRA~1\Zope22\lib\python\AccessControl\ZopeSecurityPolicy.py,
> > line 208, in validate
> > Unauthorized: (see above)
> > 
> > I figure this is due to the new security model. The user I 
> am using doesn't
> > have Manager privlidges but has permission to add this 
> object. I get the add
> > form however when I try to submit the above occurs. I think 
> this might have
> > something to do with the ownership of FAQQuestionClass_add. 
> However I can't
> > see who owns FAQQuestionClass_add. How is the new security 
> model supposed to
> > work with ZClasses and how do I get round this problem so I 
> can give a user
> > the ability to add a new object.
> 
> 
> Check fo rthe permission "Manage Properties". This one threw me for a
> while. I posted this a week or two back, you should be able to find it
> in the archives.
> This works wehn I call the addForm directly, yet when I use a 
> form local
> to the direntoy and s the "<dmtl-with ..." technique from the FAQ As I
> use in KnowledgeKit), it doesn't seem happy, requesting authentication
> through Basic Auth, as opposed to the Cookie Login form I use 
> currently
> (Membership 0.6.0).
> 
> I am working on this, and will pst a fix as soon as I have one.

I solved this by giving the piece of code that changes the properties the
Proxy Manager role.