[Zope] Screwy permissions problem has me stumped

Kirk Strauser kirk at daycos.com
Thu Mar 23 15:23:37 EST 2006


My Zope server uses exUserFolder and PostgreSQL for authentication.  I
turned on query logging today for unrelated reasons, and noticed an almost
continuous stream of queries:

  SELECT * FROM passwd
    where upper(username)=upper('kirk')
  SELECT * FROM passwd
    where upper(username)=upper('kirk')
  SELECT * FROM passwd
    where upper(username)=upper('kirk')
  SELECT * FROM passwd
    where upper(username)=upper('kirk')

where "kirk" is my own username.  The problem was that I wasn't logged in
at the time.  I traced the problem back to our main page template, which
starts with:

<head>
  <title>Example.com : <span tal:replace="template/title_or_id">Page Title</span></title>
</head>

Being curious, I changed my username in the PostgreSQL table to "kirk_foo",
and watched as my logfiles began filling with 401 errors with backtraces
like:

  Time                  2006/03/23 13:46:38.832 US/Central
  User Name (User Id)   ourcustomer (ourcustomer)
  Request URL           http://www.example.com/invoices/index_html
  Exception Type        Unauthorized
  Exception Value       You are not allowed to access 'title_or_id' in this context

as customers get messages like:

  Site Error

  An error was encountered while publishing this resource.

  Error Type: Unauthorized
  Error Value: You are not allowed to access 'title_or_id' in this context

Now, "ourcustomer" has full rights to the "invoices" folder and all files
in it, but they can't execute the "title_or_id" method on objects inside.
Also, how on Earth did my username get dragged into this?  As the main site
developer, I own all the objects in the site, but I don't have any odd Proxy
access set up.  I can't figure out why customers are trying to call
title_or_id as me in the first place, let alone why it fails.  Any insight?
-- 
Kirk Strauser
The Day Companies


More information about the Zope mailing list