[ZPatterns] Can't set proxy roles for SkinScript

Itai Tavor itai@iinet.net.au
Wed, 8 Jan 2003 15:38:26 +1100 

On Wednesday, January 8, 2003, at 02:48 PM, Rob Miller wrote:

> On Tuesday, January 7, 2003, at 05:37 PM, Itai Tavor wrote:
>
>> Hi,
>>
>> In Zope 2.5.1 with ZPatterns 0.4.3p2 (TransactionAgents 5), trying to 
>> set the Manager proxy role on a SkinScript results in:
>>
>>    You are not authorized to change ... because you do not have proxy 
>> roles.
>>
>> I thought we left this kind of nonsense behind a long time ago. 
>> What's happening?
>
> this is just zope enforcing its security model, no nonsense about it.  
> a user is not allowed to assign a proxy role to an object unless the 
> user has that role himself.  this catches people off guard when 
> they're logged in as a Manager, and then they try to specify a proxy 
> role of, say, Member, to some page template or python script (or 
> skinscript ;-).  zope will deny this action until the Manager user 
> explicitly adds the Member role to his user object.

Thanks, Rob, but... I got the Manager role, and I'm trying to give the 
SkinScript the Manager proxy role. It should work. It works when I give 
the Manager proxy role to other Zope objects, but not to a SkinScript. 
Something is wrong with SkinScripts...


>> Also, in a SkinScript that catalogs changed objects, I tried to avoid 
>> the need for the proxy role by giving my user role the "Manage 
>> ZCatalog Entries" permission, which is the one protecting 
>> uncatalog_object in ZCatalog, but I still get an access error on 
>> uncatalog_object in:
>>
>> WHEN OBJECT CHANGED CALL
>>   Catalog.uncatalog_object(_.string.join(self.getPhysicalPath(),'/')),
>>   Catalog.catalog_object(self, 
>> _.string.join(self.getPhysicalPath(),'/'))
>>
>> Can anyone think of a reason why the permission settings are being 
>> ignored?
>
> this one i can't answer.  i'm as curious as you are, actually... i've 
> always resorted to proxy roles, myself, as you tried to do.

This is really strange. I haven't done a lot of digging, but something 
strange is definitely going on. The test user I'm using has a role 
called "Scheduler" which has permissions to change application objects 
as well as modify the Catalog. The fact that the Unauthorized happens 
on the uncatalog_object call means that the attempt to modify the 
object worked - so the role is applied correctly, but the SkinScript 
gets executed without the permissions of this role.

Disgusting. Annoying. Painful.