[Zope] weird, zpt security problem?

Phil Harris phil@harris-family.info
Fri, 5 Apr 2002 23:42:49 +0100


all,

I have a problem and need someone to verify it for me, just so's I know I'm
not going insane.

Here's what I did:

1.    Create a folder in the root, call it folder1
2.    Create a new role in folder1, call it member
3.    Create a user folder within folder1, and create a user in there with
member role
5.    create a folder within folder1, call it folder2
4.    change the security for folder2 to turn off aqcuisition for the
'Access contents information' and 'view' and explicitly turn them on for the
new member role and manager
6.    create a zope page template within folder2, call it index_html keeping
the default content

now start another browser and try and view the /folder1/folder2/index_html
as the user you created earlier

At this point I can't login with anything but a user with manager role, the
member who should have enough access (and would have with a dtml method in
place of the zpt), can't see this page at all.

The error I get back is that the user is:

Error Type: Unauthorized
Error Value: You are not allowed to access title in this context

With a traceback like this:

Traceback (innermost last):
  File D:\zope25\lib\python\ZPublisher\Publish.py, line 150, in
publish_module
  File D:\zope25\lib\python\ZPublisher\Publish.py, line 114, in publish
  File D:\zope25\lib\python\Zope\__init__.py, line 159, in
zpublisher_exception_hook
    (Object: ftest2)
  File D:\zope25\lib\python\ZPublisher\Publish.py, line 98, in publish
  File D:\zope25\lib\python\ZPublisher\mapply.py, line 88, in mapply
    (Object: index_html)
  File D:\zope25\lib\python\ZPublisher\Publish.py, line 39, in call_object
    (Object: index_html)
  File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 252, in
__call__
    (Object: index_html)
  File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 283, in
_bindAndExec
    (Object: index_html)
  File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line 177,
in _eval
  File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line 134,
in _eval
    (Info: template)
  File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line 327,
in restrictedTraverse
    (Object: index_html)
    (Info: {'path': ['title'], 'TraversalRequestNameStack': []})
  File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line 345,
in validate2
    (Object: index_html)
  File D:\zope25\lib\python\AccessControl\SecurityManager.py, line 83, in
validate
  File D:\zope25\lib\python\AccessControl\ZopeSecurityPolicy.py, line 177,
in validate
Unauthorized: (see above)

Does anyone else see this, am I doing something wrong, is it a bug, or am I
completely insane?

I'd appreciate any reports sent either to me direct or to the list.

tia

ps.
    reporting on my sanity will get you no brownie points whatsoever ;)


Phil