[Zope] External Methods and Authentication error (add'l info)

Jonathan dev101 at magma.ca
Thu Mar 8 11:23:17 EST 2007 

----- Original Message ----- 
From: "Jonathan" <dev101 at magma.ca>
To: <zope at zope.org>
Sent: Thursday, March 08, 2007 9:27 AM
Subject: [Zope] External Methods and Authentication error


>I have an external method that contains:
>
>        threadFolder = self.unrestrictedTraverse(topFolder + forumId + '/' 
> + threadId, None)
>        threadFolder.manage_changeProperties({'viewCount': 
> threadFolder.viewCount+1})
>
>
> When this external method is invoked (via an 'Anonymous' user invoking a 
> dtml method) I get the following authentication error:
>
> Traceback (innermost last):
>  Module ZPublisher.Publish, line 115, in publish
>  Module ZPublisher.mapply, line 88, in mapply
>  Module ZPublisher.Publish, line 41, in call_object
>  Module OFS.DTMLMethod, line 144, in __call__
>   - <DTMLMethod at /Playwiser/WUI/ViewPublicThread>
>   - URL: http://new.playwiser.com/ViewPublicThread/manage_main
>   - Physical Path: /Playwiser/WUI/ViewPublicThread
>  Module DocumentTemplate.DT_String, line 476, in __call__
>  Module DocumentTemplate.DT_Let, line 75, in render
>  Module DocumentTemplate.DT_Util, line 196, in eval
>   - __traceback_info__: document_id
>  Module <string>, line 1, in <expression>
>  Module Products.ExternalMethod.ExternalMethod, line 232, in __call__
>   - __traceback_info__: (('ViewPublicThread',), {}, None)
>  Module /apps/Zope-2.9.2/Extensions/playwiser-1.0.py, line 705, in 
> ProcessControl
>  Module <string>, line 1, in ?
>  Module /apps/Zope-2.9.2/Extensions/playwiser-1.0.py, line 6212, in 
> subViewPublicThread
>  Module /apps/Zope-2.9.2/Extensions/playwiser-1.0.py, line 3228, in 
> IncrementViewCount
>  Module OFS.PropertyManager, line 320, in manage_changeProperties
>  Module Shared.DC.Scripts.Bindings, line 311, in __call__
>  Module Shared.DC.Scripts.Bindings, line 348, in _bindAndExec
>  Module App.special_dtml, line 175, in _exec
>  Module Shared.DC.Scripts.Bindings, line 182, in __getattr__
>  Module AccessControl.ImplPython, line 563, in validate
>  Module AccessControl.ImplPython, line 461, in validate
>  Module AccessControl.ImplPython, line 808, in raiseVerbose
> Unauthorized: Your user account does not have the required permission. 
> Access to 'manage_page_header' of (BTreeFolder2 at 
> /Playwiser/PublicForums/0000000000/0000000000) denied. Your user account, 
> Anonymous User, exists at /acl_users. Access requires one of the following 
> roles: ['Manager']. Your roles in this context are ['Anonymous'].
>
>
> I was under the impression that code in external methods runs as 'trusted' 
> and does not incur normal Zope security checks.
>
> Is this error being generated because the external method was invoked by a 
> DTML method or is there some other factor that I am unaware of?

If i set the 'Access contents information' permission for the PublicForums 
BTreeFolder2 to 'Anonymous' the external method works.

I don't know why this permission would allow the manage_changeProperties 
(line 3228 in the external method) to work?
line 3228: threadFolder.manage_changeProperties({'viewCount': > 
threadFolder.viewCount+1})

Zope 2.9.2
Python 2.4.2
Red Hat 3.4.5-2

Thanks,

Jonathan

More information about the Zope mailing list