[Zope] weird, zpt security problem?

Phil Harris phil@harris-family.info
Sat, 6 Apr 2002 00:24:41 +0100


I'm replying to my own email 'cos I think I know what the problem is.

If you use the scheme below to try and duplicate the problem you won't, BUT
if you turn off either one of the permissions for manager then you get the
symptoms that I describe.

OK, you'll say that manager should have those roles, and I'd agree, but as
someone else siad "it's an unexpected inconsistency".


----- Original Message -----
From: "Phil Harris" <phil@harris-family.info>
To: <zope@zope.org>
Sent: Friday, April 05, 2002 11:42 PM
Subject: [Zope] weird, zpt security problem?


> all,
>
> I have a problem and need someone to verify it for me, just so's I know
I'm
> not going insane.
>
> Here's what I did:
>
> 1.    Create a folder in the root, call it folder1
> 2.    Create a new role in folder1, call it member
> 3.    Create a user folder within folder1, and create a user in there with
> member role
> 5.    create a folder within folder1, call it folder2
> 4.    change the security for folder2 to turn off aqcuisition for the
> 'Access contents information' and 'view' and explicitly turn them on for
the
> new member role and manager
> 6.    create a zope page template within folder2, call it index_html
keeping
> the default content
>
> now start another browser and try and view the /folder1/folder2/index_html
> as the user you created earlier
>
> At this point I can't login with anything but a user with manager role,
the
> member who should have enough access (and would have with a dtml method in
> place of the zpt), can't see this page at all.
>
> The error I get back is that the user is:
>
> Error Type: Unauthorized
> Error Value: You are not allowed to access title in this context
>
> With a traceback like this:
>
> Traceback (innermost last):
>   File D:\zope25\lib\python\ZPublisher\Publish.py, line 150, in
> publish_module
>   File D:\zope25\lib\python\ZPublisher\Publish.py, line 114, in publish
>   File D:\zope25\lib\python\Zope\__init__.py, line 159, in
> zpublisher_exception_hook
>     (Object: ftest2)
>   File D:\zope25\lib\python\ZPublisher\Publish.py, line 98, in publish
>   File D:\zope25\lib\python\ZPublisher\mapply.py, line 88, in mapply
>     (Object: index_html)
>   File D:\zope25\lib\python\ZPublisher\Publish.py, line 39, in call_object
>     (Object: index_html)
>   File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 252, in
> __call__
>     (Object: index_html)
>   File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 283, in
> _bindAndExec
>     (Object: index_html)
>   File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line
177,
> in _eval
>   File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line
134,
> in _eval
>     (Info: template)
>   File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line
327,
> in restrictedTraverse
>     (Object: index_html)
>     (Info: {'path': ['title'], 'TraversalRequestNameStack': []})
>   File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line
345,
> in validate2
>     (Object: index_html)
>   File D:\zope25\lib\python\AccessControl\SecurityManager.py, line 83, in
> validate
>   File D:\zope25\lib\python\AccessControl\ZopeSecurityPolicy.py, line 177,
> in validate
> Unauthorized: (see above)
>
> Does anyone else see this, am I doing something wrong, is it a bug, or am
I
> completely insane?
>
> I'd appreciate any reports sent either to me direct or to the list.
>
> tia
>
> ps.
>     reporting on my sanity will get you no brownie points whatsoever ;)
>
>
> Phil
>
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )