[Zope] [Q] How to get "Owner" access to work properly?

Asko Seeba joka@cyber.ee
Fri, 3 Aug 2001 08:44:45 +0200 

Hi,

I'm new in this Zope thing and sorry, if I ask a boring old question, but I
didn't find any FAQ and this mailinglist here is my last hope :).

CONFIGURATION
1. So, I downloaded Zope 2.4.0 binary executable package for windows and
installed it on win2000.
2. I (with manager rights at manager page) made a folder (say my_folder) for
a web page, added an acl_users folder to this folder
3. I made the web page private by unchecking "Acquire permission settings?"
checkbox from "View" permission and adding the checkbox to "Manager" role.
4. I added a special role for the my web page users into my_folder's
Security tab, say "Author" with following permissions:
   Add Documents, Images, and Files
   Add Folders
   View
5. I added users alice and bob (two famous paranoics in security related
literature) and made a simple file upload form with a possibility to also
delete the upploaded files.

PROBLEM
I want to get the situation where each user can delete only these files that
are uploaded by this user. I tried deleting with calling manage_delObjects
from DTML document.
1. When I set up the checkbox for "Delete objects" _only_ to role "Author",
then everyone with this role can delete the file, even those who are not
owners of the file.
2. When I set up the checkbox for "Delete objects" _only_ to role "Owner",
then nobody can delete the file, even the file owner. For example, when Bob
uploads a file, then I can see from management page's ownership tab, that
the file owner is Bob, but if Bob tries to delete the file, he gets a dialog
box asking password (although he is already logged in as a Bob) and if
clicking Cancel (using IE 5.50.4522.1800), he gets an error (see Appendix
below).

According to Zope documentation, the Owner's role should applie
automatically for owned files, but here it doesn't work. Why?

Thanx in advance,

--
Asko Seeba


APPENDIX
Site Error
An error was encountered while publishing this resource.

Unauthorized

You are not authorized to access manage_delObjects.
Traceback (innermost last):
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 223, in
publish_module
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 187, in
publish
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 171, in
publish
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\mapply.py, line 160, in
mapply
    (Object: delete)
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 112, in
call_object
    (Object: delete)
  File C:\PROGRA~1\WebSite\lib\python\OFS\DTMLDocument.py, line 199, in
__call__
    (Object: delete)
  File C:\PROGRA~1\WebSite\lib\python\DocumentTemplate\DT_String.py, line
544, in __call__
    (Object: delete)
  File C:\PROGRA~1\WebSite\lib\python\DocumentTemplate\DT_Util.py, line 230,
in eval
    (Object: data.manage_delObjects(file))
    (Info: data)
  File <string>, line 2, in f
    (Object: guarded_getattr)
  File C:\PROGRA~1\WebSite\lib\python\AccessControl\DTML.py, line 101, in
guarded_getattr
    (Object: delete)
  File C:\PROGRA~1\WebSite\lib\python\AccessControl\ZopeGuards.py, line 120,
in guarded_getattr
    (Object: LockableItem)
  File C:\PROGRA~1\WebSite\lib\python\AccessControl\ZopeGuards.py, line 103,
in aq_validate
    (Object: LockableItem)
  File C:\PROGRA~1\WebSite\lib\python\AccessControl\SecurityManager.py, line
149, in validate
  File C:\PROGRA~1\WebSite\lib\python\AccessControl\ZopeSecurityPolicy.py,
line 229, in validate
Unauthorized: (see above)



----------------------------------------------------------------------------
----

Troubleshooting Suggestions

The URL may be incorrect.
The parameters passed to this resource may be incorrect.
A resource that this resource relies on may be encountering an error.
For more detailed information about the error, please refer to the HTML
source for this page.

If the error persists please contact the site maintainer. Thank you for your
patience.