[Zope] Simple security question

Duncan Murdoch murdoch at stats.uwo.ca
Fri Mar 21 08:38:46 EDT 2008 

I'm making some changes to an existing Zope setup.  The original author 
has moved on, and I don't have previous experience with Zope:  so the 
setup is relatively well-designed, but I don't really know the low-level 
basics well.  It's some version of Zope 2 (I'm not sure how to get exact 
version information.)

The problem is this:  we have an existing web site that works well.  I'd 
like to create a few pages that are private, accessible only by a list 
of authorized users.  So I created a new directory, and added some users 
to the acl_users folder.  Then on the security page for this directory, 
I unchecked all the "acquire permission settings" boxes, and checked 
every permission for the class of user I created.  (Later I'll reduce 
the list, but for now they have everything.)

But they still get permission failures when they try to do anything. 
The log shows the error:

  	You are not allowed to access 'pythonMethods' in this context

I have several directories with that name on different parts of the 
site, so it's not completely clear to me which one I'm not allowed to 
access.  The error log shows this traceback:

Traceback (innermost last):

     * Module ZPublisher.Publish, line 98, in publish
     * Module ZPublisher.mapply, line 88, in mapply
     * Module ZPublisher.Publish, line 39, in call_object
     * Module OFS.DTMLDocument, line 133, in __call__
       <DTMLDocument instance at bfa00e0>
       URL: http://xxxxxxx/test/edit/manage_main
       Physical Path:/xxx/test/edit
     * Module DocumentTemplate.DT_String, line 474, in __call__
     * Module DocumentTemplate.DT_Util, line 195, in eval
       __traceback_info__: pythonMethods
     * Module OFS.DTMLMethod, line 152, in validate

Unauthorized: You are not allowed to access 'pythonMethods' in this context

(I've xx'd out the URL because I'm pretty sure I haven't got the 
security setup right.)

The test/edit page is a DTML document, which contains this line

<dtml-var "pythonMethods.displayheader(id())">

but I'm not certain this is the line that triggers the error.

My questions:
1.  Are there simple examples of this kind of security setup somewhere?
2.  How do I diagnose what's going wrong?

Duncan Murdoch

More information about the Zope mailing list