[Zope] Weird things happen when Manager does not have View permission

Damien Baty damien at pilotsystems.net
Wed Sep 1 09:28:07 EDT 2004 

	Hello,

   I am running through a somewhat weird error. AFAICT, it should not
happen. But, well, it does.

   This involves two folders, an user, a DTML method and a file:
   / (Zope root folder, which defines 'manager' as Manager)
   /folder (defines 'Viewer' role)
   /folder/acl_users (defines 'viewer' user with 'Viewer' role)
   /folder/method (content is '<dtml-var title_or_id()')
   /folder/subfolder
   /folder/subfolder/file

   All objects belong to "manager".

   I have defined permissions like this (the one which are not mentioned
are default):
   - '/folder' : "View" and "Access Contents Permission" : does not
acquire from parent, only granted to 'Manager' and 'Viewer' roles.
   - '/folder/subfolder' : as for '/folder'.
   - '/folder/method' and '/folder/subfolder/file': default (every
permission is acquired).

   When I try to visit http://server/folder/subfolder/file/method as
'viewer', I am asked to authenticate myself, and I am authorized to see
the title of the file. Good.

   But if I unselect the 'Manager' role for the 'View' permission of
'/folder/subfolder', user 'viewer' is now unauthorized. Error is:
     Traceback (innermost last):

       * Module ZPublisher.Publish, line 101, in publish
       * Module ZPublisher.mapply, line 88, in mapply
       * Module ZPublisher.Publish, line 39, in call_object
       * Module OFS.DTMLMethod, line 130, in __call__
         <DTMLMethod instance at 91df560>
         URL: http://server/folder/method/manage_main
         Physical Path:/folder/method
       * Module DocumentTemplate.DT_String, line 474, in __call__
   Unauthorized: You are not allowed to access 'title_or_id' \
                 in this context

   I do think that it is not supposed to happen. But before digging a
little deeper to try to find out where the error comes from, I wanted to
be sure. Any clues?

   I am running a clean install of Zope-2.7.2 and Python2.3.

-- 
Damien Baty - damien at pilotsystems.net
Pilot Systems - 66, rue de Provence - 75009 Paris
Tel : +33 1 44 53 05 55 - http://www.pilotsystems.net
Hébergement Zope et Plone gratuit - http://www.objectis.org

More information about the Zope mailing list