[Zope] Lost user credentials

Garito garito at gmail.com
Mon Mar 12 14:40:03 EDT 2007 

Sorry the gmail response send only to the original poster not to the list
(sorry Andreas)
The original post:

The question then (sorry):
I have a product called Yanged
This product has overrided:
__bobo_traverse__ who returns some objects and sometime a wrapper object
with the HTML code to the browser
__call__ who returns the HTML code to __bobo_traverse__ or if you call the
object itself
index_html who returns __call__
A TALES evaluator to evaluate some TALES expresion out of page templates

All works ok except when I try to delete some objects. When I try to launch
the delete method I raises an authorized error and ask for new login and
password

I try with my user who is manager and owner but logon doesn't work and
raises the same error

If I look the error log I could see this error:

Traceback (innermost last):
  Module ZPublisher.Publish
, line 106, in publish
  Module ZPublisher.BaseRequest, line 323, in traverse
  Module Products.Yanged.Yanged, line 61, in __bobo_traverse__
  Module Products.Yanged.Yanged, line 141, in __call__
  Module Products.Yanged.Yanged
, line 170, in Ejecutar
  Module Products.Yanged.Yanged, line 125, in __call__
  Module Products.Yanged.Yanged, line 170, in Ejecutar
  Module Shared.DC.Scripts.Bindings, line 311, in __call__
  Module Shared.DC.Scripts.Bindings
, line 348, in _bindAndExec
  Module Products.PythonScripts.PythonScript, line 325, in _exec
  Module None, line 2, in BorrarFuncionalidad
   - <PythonScript at
/sistes.net/clientes/escobarsl.com/Comandos/BorrarFuncionalidad used
for /sistes.net/clientes/escobarsl.com/Pagina/Borrar/BorrarCaso>

   - Line 2
  Module AccessControl.ImplPython, line 729, in guarded_getattr
  Module AccessControl.ImplPython, line 671, in aq_validate
  Module AccessControl.ImplPython, line 565, in validate
  Module AccessControl.ImplPython
, line 463, in validate
  Module AccessControl.ImplPython, line 810, in raiseVerbose
Unauthorized: Your user account does not have the required permission.
 Access to 'manage_delObjects' of (Yanged at
/sistes.net/clientes/escobarsl.com/Pagina/Funcionalidades) denied.
Your user account, Anonymous User, exists at (unknown). Access
requires one of the following roles: ['Manager']. Your roles in this
context are ['Anonymous'].

If I try to delete the object the error is raised but if immediately I try
to create another object works ok

This are the code about BorrarFuncionalidad (the code who raises the error)
and CrearFuncionalidad (the code that works ok). Both are Python Scripts:

BorrarFuncinalidad
carpeta = getattr(context.Singular(), 'Funcionalidades')
carpeta.manage_delObjects(args['path'])
return args

CrearFuncionalidad
carpeta = getattr(context.Singular (), 'Funcionalidades')
Id = context.Dame(context.Id)

args['caso'] = carpeta.manage_addProduct['Yanged'].CrearYanged(Id)
return args

Both scripts are launched in the same way (the Ejecutar method you could see
at the traceback above)

I try to track the user from the __bobo_traverse__ to the __call__ and seems
the user credentials are lost when I call CrearFuncionalidad (in the whole
call)

Can you point me some clues to solve this problem?

Thanks!

2007/3/12, Dennis Allison <allison at shasta.stanford.edu>:
>
>
> I did not catch the original post and so don't know any of the details,
> but it sounds like a problem with the logging system, not a loss of
> credentials.  We had long ago and resolved with the list's help.  This
> patch is still in use with Zope 2.9.X.
>
> You need to patch ../lib/python/ZServer/medusa/http_server.py
>
> --- ./v0.0/http_server.py       2004-12-25 22:39:31.000000000 -0800
> +++ ./v0.1/http_server.py       2004-12-25 22:39:31.000000000 -0800
> @@ -36,6 +36,9 @@
> from counter import counter
> from urllib import unquote
>
> +# Paul's Patch (a shameful thing) to make names register properly
> +from ZPublisher.HTTPRequest import parse_cookie
> +
> #
>
> ===========================================================================
> #                                                      Request Object
> #
>
> ===========================================================================
> @@ -277,6 +280,7 @@
>
>          auth=self.get_header('Authorization')
>          name='Anonymous'
> +
>          if auth is not None:
>              if string.lower(auth[:6]) == 'basic ':
>                  try: decoded=base64.decodestring(auth[6:])
> @@ -286,10 +290,35 @@
>                      name = 'Unknown (bad auth string)'
>                  else:
>                      name = t[0]
> +        else:
> +        # start of patch
> +            try:
> +                auth_cookie_name='__ac'
> +                cookie= None
> +                try:
> +                    cookies = {}
> +                    header_value = self.get_header("Cookie")
> +                    if header_value:
> +                        parse_cookie(header_value, cookies)
> +                        cookie = cookies.get(auth_cookie_name, None)
> +                except:
> +                    name = 'Anonymous'
> +
> +                if cookie is not None:
> +                    cookie = unquote(cookie)
> +                    try:
> +                        cookie = base64.decodestring(cookie)
> +                        name, password = tuple( cookie.split(':',1))
> +                    except: name= "Unknown (bad auth cookie)"
> +            except:
> +                name = "Failure!"
> +        # end of patch
>
> +       # log the host domain too
>          self.channel.server.logger.log (
>              self.channel.addr[0],
> -            '- %s [%s] "%s" %d %d "%s" "%s"\n' % (
> +            '%s %s [%s] "%s" %d %d "%s" "%s"\n' % (
> +               self.get_header('Host'),
>                  name,
>                  self.log_date_string (time.time()),
>                  self.request,
>
> Hope this helps.
>
>
>
> On Mon, 12 Mar 2007, Garito wrote:
>
> > Could any charitable soul take pity on this poor sinner, please...?
> >
> > 2007/3/12, Garito <garito at gmail.com>:
> > >
> > > Hi Andreas!
> > > What kind of information do you need?
> > > On my last messages to the list I send the tracebacks and some other
> > > information (need to resend them?)
> > >
> > > Could you point me what details do you need?
> > >
> > > Thank you so much for you interest!
> > >
> > > 2007/3/12, Andreas Jung <lists at zopyx.com>:
> > > >
> > > >
> > > >
> > > > --On 12. März 2007 04:04:31 +0100 Garito <garito at gmail.com> wrote:
> > > >
> > > > > Hi all!
> > > > > Some days ago I send to the list a question about a problem
> losting
> > > > user
> > > > > credentials
> > > > >
> > > > > In my code I don't use nothing about security and nothing is
> changed
> > > > on
> > > > > zmi's security tab
> > > > >
> > > > > But when I launch a method (Borrar if you remember) the user who
> > > > launches
> > > > > the action is anonymous not the logged one
> > > >
> > > > Somewhat hard to believe without a detailed description....
> > > >
> > > > -aj
> > > >
> > >
> > >
> > >
> > > --
> > > Mis Cosas: http://blogs.sistes.net/Garito
> > >
> >
> >
> >
> >
>
> --
>
>


-- 
Mis Cosas: http://blogs.sistes.net/Garito
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20070312/1f46a055/attachment.htm

More information about the Zope mailing list