[Zope] user account defined outside context of object being accessed

Kees de Brabander cj.de.brabander at hccnet.nl
Thu Dec 15 14:13:26 EST 2005


----- Original Message ----- 
From: "Chris Withers" <chris at simplistix.co.uk>
To: "Kees de Brabander" <cj.de.brabander at hccnet.nl>
Cc: <zope at zope.org>
Sent: Thursday, December 15, 2005 4:24 PM
Subject: Re: [Zope] user account defined outside context of object being
accessed


> Kees de Brabander wrote:
> > Unauthorized: Your user account is defined outside the context of the
object
> > being accessed.  Access to 'f1_index' of (Folder at /f1), acquired
through
> > (Folder at /f1/f11/f111), denied. Your user account, user1, exists at
> > /f1/f11/acl_users. Access requires one of the following roles:
> > ['Authenticated', 'Manager', 'Owner', 'student'].
>
> Looks like you were inadvertantly taking advantage of a security hole in
> Zope that got plugged. That said, your example was extremely complicated.

Well, that's life ;)

>
> Can you come up with as simple an example as possible so that we can
> maybe help you out?

I can't make the example more simple than I did.
I guess it boils down to the fact that a user defined in a user folder
somewhere farther down along a path cannot acquire objects higher up that
path when the acquisition of the view permission of that object or its
container is disabled and the view permission granted again to specific
roles. This was possible up to zope version 2.7.3, but not anymore from
2.7.8. Somewhere in between this was changed, but I could not find an
explicit reference. I used this construction a lot of times, so I have to
restructure several applications. I guess that's life as well.
Thanks anyway, cb




More information about the Zope mailing list