[Zope] taking ownership requires HTTP_REFERER; and more

[Fred Yankowski]

OK, here's a quick note about what I learned today.  Perhaps this will
help some googler some day.

The root problem I set out to fix was that I could not create a new
issue via a ZWiki issue tracker when logged in as a regular Member; it
would always result in Insufficient Privileges.  This even though I
could create new wiki pages in the same wiki instance/folder.  I
eventually figured out on another Zope/Plone instance that granting
the 'ZWiki: Add pages' permission to Owner allows the
createNextIssue() method called from the issuetrackerdtml DTML method
to run.

But that didn't work on the problematic instance, apparently because
that DTML method was owned by 'admin', the Zope superuser.  And *that*
happened because the Plone site was imported by someone (not me --
honest) logged in as admin who chose to take ownership during the
import.

So I logged in to the ZMI as a non-admin Manager user and tried to
take ownership of the portal_skins folder (and all content below it).
That resulted in Insufficient Privileges too.  The error_log entry had
this:

    Unauthorized: manage_takeOwnership was called from an invalid context

That method requires the HTTP_REFERER value from the request to do its
work.  (Why?  Is that really to be trusted?)  I typically access sites
via a proxy (junkbuster) that removes the HTTP_REFERER header and so I
was hosed.

After bypassing that proxy I was able to take ownership of
portal_skins from the non-admin Manager account.  And with that done I
was finally able to create a ZWiki issue-tracker item when logged in
as a regular Member.  Q.E.D.

-- 
Fred Yankowski      fred at ontosys.com           tel: +1.630.879.1312
OntoSys, Inc	    PGP keyID: 7B449345
www.ontosys.com     38W242 Deerpath Rd, Batavia, IL 60510-9461, USA