[Zope] Security issue with manage_page_header

Stacy.Ladnier at noaa.gov Stacy.Ladnier at noaa.gov
Mon Jan 23 20:11:19 EST 2006


I have patched the Navigation and Management so the drop-down containing
'Set Preferences' and 'Logout' is displayed in the menu frame. The 'Set
Preferences' displays a customized page to the user to set a unique set
of options for my application. My product consists of several additional
roles and relies heavily on a nested structure of folders and acl_users
for granting access. 

Previously, under 2.7 I set default security for every store, which is a
top level container, and the entire site consists of several stores. I
have now upgraded to 2.8, created each store as a separate mount point
so it has its own ZODB, and security is set at the root level. 

However, now if a 'Custodian' with an account nested inside of a store
chooses to go to 'Set Preferences' they recieve an Unauthorized error.
Zope complains on the RESPONSE.setHeader() call contained in
manage_page_header. I have gone as far as to set __roles__=None on the
manage_page_header and preferences page in my Navigation patch. Only
those users with an account established at the root can gain access to
the preferences. Otherwise, they recieve an error. If I allow Anonymous
all permissions in the Security Tab (BiG bad no no in my case) then
users below the root level can gain access to the preferences page. In
my understanding of Security, I thought declaring __roles__=None would
also allow users to access an object without needing to pass security.
What could I possibly be missing????


My site, including the bug, is currently public and to be demoed in two
days. Any assistance or guidance is greatly appreciated.


More information about the Zope mailing list