[Zope] Screwy permissions problem has me stumped
Kirk Strauser
kirk at daycos.com
Thu Mar 23 15:23:37 EST 2006
My Zope server uses exUserFolder and PostgreSQL for authentication. I
turned on query logging today for unrelated reasons, and noticed an almost
continuous stream of queries:
SELECT * FROM passwd
where upper(username)=upper('kirk')
SELECT * FROM passwd
where upper(username)=upper('kirk')
SELECT * FROM passwd
where upper(username)=upper('kirk')
SELECT * FROM passwd
where upper(username)=upper('kirk')
where "kirk" is my own username. The problem was that I wasn't logged in
at the time. I traced the problem back to our main page template, which
starts with:
<head>
<title>Example.com : <span tal:replace="template/title_or_id">Page Title</span></title>
</head>
Being curious, I changed my username in the PostgreSQL table to "kirk_foo",
and watched as my logfiles began filling with 401 errors with backtraces
like:
Time 2006/03/23 13:46:38.832 US/Central
User Name (User Id) ourcustomer (ourcustomer)
Request URL http://www.example.com/invoices/index_html
Exception Type Unauthorized
Exception Value You are not allowed to access 'title_or_id' in this context
as customers get messages like:
Site Error
An error was encountered while publishing this resource.
Error Type: Unauthorized
Error Value: You are not allowed to access 'title_or_id' in this context
Now, "ourcustomer" has full rights to the "invoices" folder and all files
in it, but they can't execute the "title_or_id" method on objects inside.
Also, how on Earth did my username get dragged into this? As the main site
developer, I own all the objects in the site, but I don't have any odd Proxy
access set up. I can't figure out why customers are trying to call
title_or_id as me in the first place, let alone why it fails. Any insight?
--
Kirk Strauser
The Day Companies
More information about the Zope
mailing list