[Zope] acquisition/acl_users/permissions: is something broken? 2e post on this pb.

Gilles Lavaux gilles.lavaux@esrin.esa.it
Mon, 27 Nov 2000 14:21:10 +0100 

Hello,


That's the second time I have this problem, I report it again because the
answer I got the last time was not 'sure' (see bottom of mail) and I would
like to have an 'definitive' explanation from some Zope guru. I hope my
explanation will be clear:

I have 3 folders for a project called 'sms':
/sms/shtml        which is accessible by anonymous
/sms/shtml/stations        which is not accessible by anonymous, only by
'operator' ans stations users
/sms/admin        which is accessible only by 'operator' user

/sms/acl_users        contains the 'operator' user with role 'sms_admin'
/sms/shtml/stations/acl_users        contains several station users
(station1, staiton2.etc...) with role 'station'

1)'operator' user has permission to access /shtml/stations. operator
authentication is forced by accessing a '/sms/admin/login' method.
2)a method 'check' is inside the '/sms/shtml' folder, this method (also)
display the http authenticated user.

My problem: I am logged in as 'operator'. Sometime, accessing
'/sms/shtml/stations/check' show me:
  -Logged in as: Anonymous User   and has role(s):Anonymous
instead of:
  -Logged in as: operator   and has role(s): sms_admin

why????????   (this with IE and Netscape)


I just have a guess: the 'operator' user is defined in '/sms/acl_users' and
my stationx users are defined in '/sms/shtml/stations/acl_users'.
So: is it possible that when I do my 'check' as operator, the acquisition go
to the acl_users which contains the stationx users and miss the other
acl_users folder (which is two levels above) ?
Another investigation: I am logged as operator in a new browser and have the
problem, I click on a link for a stationx user but cancel the http
authentication, then the problem disappear.

I am able to use a workarround, but I would like to understand what cause my
problem.
Is there a way to display which object has triggered the authentication, and
which acl_users folder is used??

Help please...
Thanks.

Gilles Lavaux

>
>
>Last time reply by Dieter Maurer :
The security system does not use the full acquisition context but
only the containment. This is a security feature to prevent
a user with partial management rights in a subfolder to
affect permissions for objects outside its area.

I think (am not sure!) that in your case, the "protected" context
is not used as your objects are in fact outside "protected".
Dieter