[Zope] user account defined outside context of object being accessed

Kees de Brabander cj.de.brabander at hccnet.nl
Tue Dec 13 16:40:03 EST 2005


I am in the process of upgrading from zope 2.5.1 (yes very old)
I used to use the following set up. Prototypically I had the following chain
of folders and methods:
f1 (folder)
    f1_index (dtmlmethod)
    f11 (folder)
        acl_users (user folder)
        f111 folder
            index_html (calling f1_index)
I used f1 to place methods and scripts to be acquired by methods in f111. At
the level of f1 I defined local roles, disabled the acquisition of the view
permission and added that permission on the same level again to existing
roles including the local roles except Anonymous. F11 contained a user
folder populated with accounts with with local roles defined in f1.
The url www.domain.nl/f1/f11/f111 would render the content of f1_index after
logging in with an account from acl_users in f11 (basic authentication),
that is at least up to zope 2.7.3. At least from 2.7.8. on this very same
user is not allowed to access f1_index anymore.
I could solve the problem by moving the user folder from f11 to f1, but
actually I have also f12, f13, f14, and so on, each with its distinct group
of users. The setup described enabled me to remove folders at the second
level when they are not needed any more including the whole group of users
involved. Furthermore, though the second level folders share a group of
methods, some were also specific for specific groups.
Another option would be to disable the acquisition of the view permission
not on the f1 level, but on the f11 level. However, in that case the url
www.domain.nl/f1 would acquire the index_html from the root folder in stead
of disallowing access.
Apparently I have to change my habits. But how do I come near to my use
case?

The error message is most verbose in 2.8.4 and reads:
Traceback (innermost last):
  Module ZPublisher.Publish, line 113, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 40, in call_object
  Module OFS.DTMLMethod, line 144, in __call__
   - <DTMLMethod at /f1/f11/f111/index_html>
   - URL: http://localhost:8080/f1/f11/f111/index_html/manage_main
   - Physical Path: /f1/f11/f111/index_html
  Module DocumentTemplate.DT_String, line 476, in __call__
  Module AccessControl.ImplPython, line 184, in guarded_getattr
  Module AccessControl.ImplPython, line 693, in guarded_getattr
  Module AccessControl.ImplPython, line 635, in aq_validate
  Module AccessControl.ImplPython, line 529, in validate
  Module AccessControl.ImplPython, line 449, in validate
  Module AccessControl.ImplPython, line 774, in raiseVerbose
Unauthorized: Your user account is defined outside the context of the object
being accessed.  Access to 'f1_index' of (Folder at /f1), acquired through
(Folder at /f1/f11/f111), denied. Your user account, user1, exists at
/f1/f11/acl_users. Access requires one of the following roles:
['Authenticated', 'Manager', 'Owner', 'student'].
-------------- next part --------------
A non-text attachment was scrubbed...
Name: f1.zexp
Type: application/octet-stream
Size: 2195 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20051213/e4698f0d/f1.obj


More information about the Zope mailing list