[ZPatterns] Can't set proxy roles for SkinScript

Steve Spicklemire steve@spvi.com
Tue, 7 Jan 2003 23:57:49 -0500 

This sounds a bit like problems I'm seen in LoginManager where various 
bits of skinscript get executing at different points in the 
transaction, where permissions are changing along the way. I'll try to 
reproduce this.. and poke a bit.

-steve

On Tuesday, January 7, 2003, at 11:38  PM, Itai Tavor wrote:

> On Wednesday, January 8, 2003, at 02:48 PM, Rob Miller wrote:
>
>> On Tuesday, January 7, 2003, at 05:37 PM, Itai Tavor wrote:
>>
>>> Hi,
>>>
>>> In Zope 2.5.1 with ZPatterns 0.4.3p2 (TransactionAgents 5), trying 
>>> to set the Manager proxy role on a SkinScript results in:
>>>
>>>    You are not authorized to change ... because you do not have 
>>> proxy roles.
>>>
>>> I thought we left this kind of nonsense behind a long time ago. 
>>> What's happening?
>>
>> this is just zope enforcing its security model, no nonsense about it. 
>>  a user is not allowed to assign a proxy role to an object unless the 
>> user has that role himself.  this catches people off guard when 
>> they're logged in as a Manager, and then they try to specify a proxy 
>> role of, say, Member, to some page template or python script (or 
>> skinscript ;-).  zope will deny this action until the Manager user 
>> explicitly adds the Member role to his user object.
>
> Thanks, Rob, but... I got the Manager role, and I'm trying to give the 
> SkinScript the Manager proxy role. It should work. It works when I 
> give the Manager proxy role to other Zope objects, but not to a 
> SkinScript. Something is wrong with SkinScripts...
>
>
>>> Also, in a SkinScript that catalogs changed objects, I tried to 
>>> avoid the need for the proxy role by giving my user role the "Manage 
>>> ZCatalog Entries" permission, which is the one protecting 
>>> uncatalog_object in ZCatalog, but I still get an access error on 
>>> uncatalog_object in:
>>>
>>> WHEN OBJECT CHANGED CALL
>>>   
>>> Catalog.uncatalog_object(_.string.join(self.getPhysicalPath(),'/')),
>>>   Catalog.catalog_object(self, 
>>> _.string.join(self.getPhysicalPath(),'/'))
>>>
>>> Can anyone think of a reason why the permission settings are being 
>>> ignored?
>>
>> this one i can't answer.  i'm as curious as you are, actually... i've 
>> always resorted to proxy roles, myself, as you tried to do.
>
> This is really strange. I haven't done a lot of digging, but something 
> strange is definitely going on. The test user I'm using has a role 
> called "Scheduler" which has permissions to change application objects 
> as well as modify the Catalog. The fact that the Unauthorized happens 
> on the uncatalog_object call means that the attempt to modify the 
> object worked - so the role is applied correctly, but the SkinScript 
> gets executed without the permissions of this role.
>
> Disgusting. Annoying. Painful.
>
> _______________________________________________
> ZPatterns mailing list
> ZPatterns@eby-sarna.com
> http://www.eby-sarna.com/mailman/listinfo/zpatterns