[Zope] zope 2.7: Unauthorized "in this context"
John Hunter
jdhunter at ace.bsd.uchicago.edu
Wed Jun 15 10:48:41 EDT 2005
>>>>> "Dieter" == Dieter Maurer <dieter at handshake.de> writes:
Dieter> John Hunter wrote at 2005-6-7 09:52 -0500:
>> ... Traceback (innermost last): ... URL:
>> http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_addForm/manage_main
>> Physical Path:/srp/2005/Sections/B1/Amrita
>> Arora/ProjectSubmission_addForm * Module
>> DocumentTemplate.DT_String, line 474, in __call__ * Module
>> DocumentTemplate.DT_With, line 76, in render
>>
>> Unauthorized: You are not allowed to access 'mentor' in this
>> context
Dieter> The "VerboseSecurity" product may give you more detailed
Dieter> information.
Hi Dieter,
I installed VerboseSecurity and now get a more helpful error message
in the log (to refresh your memory, this is a pure ZClass based
product which stopped working on an upgrade to 2.7). Here is the
updated message
Exception Type Unauthorized
Exception Value The container has no security assertions. Access to
'mentor' of (FactoryDispatcher instance at 40aeafb0) denied.
I googled this error message and found this thread,
http://www.gossamer-threads.com/lists/zope/users/176379. You
responded to the OP
> Unauthorized: The container has no security assertions. Access to
> 'title_or_id' of (FactoryDispatcher instance at e68510)
> denied. (Also,
> an error occurred while attempting to render the standard error message.)
This is very strange:
It is true that a "FactoryDispatcher"
("App.FactoryDispatcher.FactoryDispatcher") does not have security
assertions. But usually, it does not have a "title_or_id"
either. Therefore, it should not be relevant with respect to
"title_or_id" access that it lacks security assertions.
Maybe, it is a bug introduced with the security tighening introduced
in Zope 2.7.3 (there was some discussion about such a bug in the
mailing list (zope-dev, I think)).
You can try to add a "__role__ = None" and maybe a
"__allow_access_to_unprotected_subobjects__ = 1" to the
"FactoryDispatcher" class (--> "App/FactoryDispatcher.py") to see
whether the problem disappears. These two attributes will provide
security assertions for the factory.
Your "header/manage_main" DTML Method seems a bit strange, too. Why
does it use a "dtml-in" and in it a "dtml-with" and in it access to
"title_or_id". This is somewhat unexpected in the add form of a
ZClass.
But there was no followup. Before I start hacking
App/FactoryDispatcher.py, I wanted to check in here and see if there
was a resolution to this problem, if this is a known bug with a fix,
etc.
Thanks!
JDH
More information about the Zope
mailing list