[Zope] Simple security question

Andreas Jung lists at zopyx.com
Fri Mar 21 08:41:57 EDT 2008 

<http://plone.org/documentation/how-to/debug-unauthorized>

-aj

--On 21. März 2008 08:38:46 -0400 Duncan Murdoch <murdoch at stats.uwo.ca> 
wrote:

> I'm making some changes to an existing Zope setup.  The original author
> has moved on, and I don't have previous experience with Zope:  so the
> setup is relatively well-designed, but I don't really know the low-level
> basics well.  It's some version of Zope 2 (I'm not sure how to get exact
> version information.)
>
> The problem is this:  we have an existing web site that works well.  I'd
> like to create a few pages that are private, accessible only by a list of
> authorized users.  So I created a new directory, and added some users to
> the acl_users folder.  Then on the security page for this directory, I
> unchecked all the "acquire permission settings" boxes, and checked every
> permission for the class of user I created.  (Later I'll reduce the list,
> but for now they have everything.)
>
> But they still get permission failures when they try to do anything. The
> log shows the error:
>
>   	You are not allowed to access 'pythonMethods' in this context
>
> I have several directories with that name on different parts of the site,
> so it's not completely clear to me which one I'm not allowed to access.
> The error log shows this traceback:
>
> Traceback (innermost last):
>
>      * Module ZPublisher.Publish, line 98, in publish
>      * Module ZPublisher.mapply, line 88, in mapply
>      * Module ZPublisher.Publish, line 39, in call_object
>      * Module OFS.DTMLDocument, line 133, in __call__
>        <DTMLDocument instance at bfa00e0>
>        URL: http://xxxxxxx/test/edit/manage_main
>        Physical Path:/xxx/test/edit
>      * Module DocumentTemplate.DT_String, line 474, in __call__
>      * Module DocumentTemplate.DT_Util, line 195, in eval
>        __traceback_info__: pythonMethods
>      * Module OFS.DTMLMethod, line 152, in validate
>
> Unauthorized: You are not allowed to access 'pythonMethods' in this
> context
>
> (I've xx'd out the URL because I'm pretty sure I haven't got the security
> setup right.)
>
> The test/edit page is a DTML document, which contains this line
>
> <dtml-var "pythonMethods.displayheader(id())">
>
> but I'm not certain this is the line that triggers the error.
>
> My questions:
> 1.  Are there simple examples of this kind of security setup somewhere?
> 2.  How do I diagnose what's going wrong?
>
> Duncan Murdoch
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )



-- 
ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany
Web: www.zopyx.com - Email: info at zopyx.com - Phone +49 - 7071 - 793376
Registergericht: Amtsgericht Stuttgart, Handelsregister A 381535
Geschäftsführer/Gesellschafter: ZOPYX Limited, Birmingham, UK
------------------------------------------------------------------------
E-Publishing, Python, Zope & Plone development, Consulting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20080321/5953bb1e/attachment.bin

More information about the Zope mailing list