[Zope] Re: ZClasses and Permissions (Zope Collector 444)
Brent Hendricks
brentmh@ece.rice.edu
Fri, 13 Sep 2002 08:28:04 -0500
Dieter Maurer wrote:
> > Digging into the
> > Zope code a bit, I discovered that manage_renameObjects falls under the
> > "View management screens" permission,
> Almost surely, your problem is not caused by a missing permission
> on "manage_renameObjects" itself, but inside "manage_pasteObjects".
> Cancel the browser login dialog and look at the traceback.
> Where does the exception come from?
Here's the last few lines:
(Info: ({'script': <PythonScript instance at 8d4add0>, 'context':
<RisaWorkgroup instance at 8fb22a0>, 'container': <RisaWorkgroup
instance at 8fb22a0>, 'traverse_subpath': []}, (), {}, None))
File Script (Python), line 17, in renameFiles
File /usr/local/lib/zope/lib/python/OFS/CopySupport.py, line 286, in
manage_renameObjects
(Object: 192)
File /usr/local/lib/zope/lib/python/OFS/CopySupport.py, line 301, in
manage_renameObject
(Object: 192)
File /usr/local/lib/zope/lib/python/OFS/CopySupport.py, line 414, in
_verifyObjectPaste
(Object: 192)
Unauthorized: Add Documents, Images, and Files
It's not going through manage_pasteObjects, but the function that raises
the error does appear to be _verifyObjectPaste (perhaps this is what you
meant?)
> This may be able to map "View management screens" such that you can
> access "manage_renameObjects", but probably "manage_pasteObjects"
> still fails because the necessary permission (create permission)
> is checked on the target ObjectManager.
Gotcha. Hence the "Unauthorized: Add Documents, Images, and Files." In
this case, the ObjectManager in question is an instance of my ZClass,
which subclasses ZObjectManager.
It looks like _verifyObjectPaste is calling
getSecurityManager().checkPermission( mt_permission, self ), and this is
failing. Digging through the source code a bit, it doesn't look like
checkPermission() check for proxy roles. In fact, looking at the
current CVS HEAD, there's even a comment to this effect:
"# XXX proxy roles and executable owner are not checked"
:(
--Brent
-------------------------------------------------------------------------
"The programmer, like the poet, works only slightly removed from pure
thought-stuff. He builds his castles in the air, from air, creating
by exertion of the imagination. Few media of creation are so
flexible, so easy to polish and rework, so readily capable of
realizing grand conceptual structures."
-- Frederick Brooks, Jr., The Mythical Man Month