[ZPT] BUG? Non-manager can't edit ZPT with WebDAV or FTP; can with ZMI
Joel Burton
joel@joelburton.com
Tue, 19 Feb 2002 12:50:27 -0500 (EST)
Synopsis:
A highly-privileged non-manager user can edit all content types through
WebDAV or FTP *except* PageTemplates. If user is changed to a manager,
they can now edit PageTemplates through WebDAV/FTP.
Demonstration/Walkthrough:
1) in folder "/foo", create local role "test"
2) in "/foo", give role "test" *all* permissions
(in theory, this person would only need a few privileges; to remove
any possibility that we're guessing the wrong privileges, select
them all)
3) add user "bob" w/role=test
4) create a ZPT document "test.pt" in "/foo"
5) create a DTML DOcument "test.dtml" in "/foo"
5) see that bob can edit both documents using ZMI w/o problem.
(therefore, it's not privileges per se that's causing the problem)
6) see that using WebDAV/FTP, bob can edit "test.dtml"
(therefore, it's not WebDAV setup per se that's causing the problem)
7) see that using WebDAV/FTP, bob *cannot* edit "test.pt" (!)
8) add manager role to bob
9) now bob can edit "test.pt" through WebDAV/FTP
(therefore, it's not simply ZPT+WebDAV that's causing the problem)
Notes:
I've tried FTP and 3 WebDAV clients (cadaver, WebDrive, Dreamweaver); all
return an unauthorized message.
This isn't a firewall, client, or locking problem: I can't do it from the
server using cadaver; I've tried different client machines; using cadaver,
I can't even GET the file (which makes no attempt to lock it.)
WebDAV editing of ZPT is a critical feature for my clients. I
can't give the editors "manager" role w/o opening huge security holes.
Using cadaver w/debug settings, I can get detail on the requests and
responses: the forbidden edit request (step #7 above) just re-requests
authentication twice and fails. Happy to send the cadaver log to anyone
who might find it helpful.
Can anyone edit ZPT through WebDAV or FTP with non-managers? Can anyone
shed any light on this problem?
I do read zpt@zope.org, but a cc to me directly would be appreciated.
Thanks in advance!
--
Joel BURTON | joel@joelburton.com | joelburton.com | aim: wjoelburton
Independent Knowledge Management Consultant