[Zope] Screwy permissions problem has me stumped

Andrew Milton akm at theinternet.com.au
Thu Mar 23 22:24:42 EST 2006


+-------[ Kirk Strauser ]----------------------
| My Zope server uses exUserFolder and PostgreSQL for authentication.  I
| turned on query logging today for unrelated reasons, and noticed an almost
| continuous stream of queries:

[snip]

| Now, "ourcustomer" has full rights to the "invoices" folder and all files
| in it, but they can't execute the "title_or_id" method on objects inside.
| Also, how on Earth did my username get dragged into this?  As the main site
| developer, I own all the objects in the site, but I don't have any odd Proxy
| access set up.  I can't figure out why customers are trying to call
| title_or_id as me in the first place, let alone why it fails.  Any insight?

Every TAL call pretty much creates a new security context, which is why it's 
hitting the DB so often (this is why it's best to turn on caching in XUF even 
for 5 or 10 seconds if you're using a 'slow' auth mechanism).

I'm not sure why it's using your username and not their own though, without
actually looking at your setup. XUF just executes the lookups based on what
Zope tells it to do.

-- 
Andrew Milton
akm at theinternet.com.au


More information about the Zope mailing list