[Zope] weird, zpt security problem?
Phil Harris
phil@harris-family.info
Sat, 6 Apr 2002 00:28:02 +0100
It's me again, it's not just zpt that has this 'problem', it also happens
with DTML Methods.
My first thought is does it matter, but it's an interesting one.
----- Original Message -----
From: "Phil Harris" <phil@harris-family.info>
To: <zope@zope.org>
Sent: Saturday, April 06, 2002 12:24 AM
Subject: Re: [Zope] weird, zpt security problem?
> I'm replying to my own email 'cos I think I know what the problem is.
>
> If you use the scheme below to try and duplicate the problem you won't,
BUT
> if you turn off either one of the permissions for manager then you get the
> symptoms that I describe.
>
> OK, you'll say that manager should have those roles, and I'd agree, but as
> someone else siad "it's an unexpected inconsistency".
>
>
> ----- Original Message -----
> From: "Phil Harris" <phil@harris-family.info>
> To: <zope@zope.org>
> Sent: Friday, April 05, 2002 11:42 PM
> Subject: [Zope] weird, zpt security problem?
>
>
> > all,
> >
> > I have a problem and need someone to verify it for me, just so's I know
> I'm
> > not going insane.
> >
> > Here's what I did:
> >
> > 1. Create a folder in the root, call it folder1
> > 2. Create a new role in folder1, call it member
> > 3. Create a user folder within folder1, and create a user in there
with
> > member role
> > 5. create a folder within folder1, call it folder2
> > 4. change the security for folder2 to turn off aqcuisition for the
> > 'Access contents information' and 'view' and explicitly turn them on for
> the
> > new member role and manager
> > 6. create a zope page template within folder2, call it index_html
> keeping
> > the default content
> >
> > now start another browser and try and view the
/folder1/folder2/index_html
> > as the user you created earlier
> >
> > At this point I can't login with anything but a user with manager role,
> the
> > member who should have enough access (and would have with a dtml method
in
> > place of the zpt), can't see this page at all.
> >
> > The error I get back is that the user is:
> >
> > Error Type: Unauthorized
> > Error Value: You are not allowed to access title in this context
> >
> > With a traceback like this:
> >
> > Traceback (innermost last):
> > File D:\zope25\lib\python\ZPublisher\Publish.py, line 150, in
> > publish_module
> > File D:\zope25\lib\python\ZPublisher\Publish.py, line 114, in publish
> > File D:\zope25\lib\python\Zope\__init__.py, line 159, in
> > zpublisher_exception_hook
> > (Object: ftest2)
> > File D:\zope25\lib\python\ZPublisher\Publish.py, line 98, in publish
> > File D:\zope25\lib\python\ZPublisher\mapply.py, line 88, in mapply
> > (Object: index_html)
> > File D:\zope25\lib\python\ZPublisher\Publish.py, line 39, in
call_object
> > (Object: index_html)
> > File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 252, in
> > __call__
> > (Object: index_html)
> > File D:\zope25\lib\python\Shared\DC\Scripts\Bindings.py, line 283, in
> > _bindAndExec
> > (Object: index_html)
> > File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line
> 177,
> > in _eval
> > File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line
> 134,
> > in _eval
> > (Info: template)
> > File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line
> 327,
> > in restrictedTraverse
> > (Object: index_html)
> > (Info: {'path': ['title'], 'TraversalRequestNameStack': []})
> > File D:\zope25\lib\python\Products\PageTemplates\Expressions.py, line
> 345,
> > in validate2
> > (Object: index_html)
> > File D:\zope25\lib\python\AccessControl\SecurityManager.py, line 83,
in
> > validate
> > File D:\zope25\lib\python\AccessControl\ZopeSecurityPolicy.py, line
177,
> > in validate
> > Unauthorized: (see above)
> >
> > Does anyone else see this, am I doing something wrong, is it a bug, or
am
> I
> > completely insane?
> >
> > I'd appreciate any reports sent either to me direct or to the list.
> >
> > tia
> >
> > ps.
> > reporting on my sanity will get you no brownie points whatsoever ;)
> >
> >
> > Phil
> >
> >
> >
> > _______________________________________________
> > Zope maillist - Zope@zope.org
> > http://lists.zope.org/mailman/listinfo/zope
> > ** No cross posts or HTML encoding! **
> > (Related lists -
> > http://lists.zope.org/mailman/listinfo/zope-announce
> > http://lists.zope.org/mailman/listinfo/zope-dev )
>
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )