[ZPatterns] Can't set proxy roles for SkinScript
Steve Spicklemire
steve@spvi.com
Wed, 8 Jan 2003 00:19:46 -0500
Hi Itai,
Can you see if this helps?
[vh10-48:~/client2/Products/ZPatterns] steve% cvs diff Proxy.py
Index: Proxy.py
===================================================================
RCS file: /cvsroot/zpatterns/ZPatterns/Proxy.py,v
retrieving revision 1.1.1.1
diff -r1.1.1.1 Proxy.py
26c26
< user=user.hasRole
---
> user=user.has_role
28c28
< if r and not user(self, (r,)):
---
> if r and not user((r,), self):
-steve
On Tuesday, January 7, 2003, at 11:57 PM, Steve Spicklemire wrote:
>
> This sounds a bit like problems I'm seen in LoginManager where various
> bits of skinscript get executing at different points in the
> transaction, where permissions are changing along the way. I'll try to
> reproduce this.. and poke a bit.
>
> -steve
>
> On Tuesday, January 7, 2003, at 11:38 PM, Itai Tavor wrote:
>
>> On Wednesday, January 8, 2003, at 02:48 PM, Rob Miller wrote:
>>
>>> On Tuesday, January 7, 2003, at 05:37 PM, Itai Tavor wrote:
>>>
>>>> Hi,
>>>>
>>>> In Zope 2.5.1 with ZPatterns 0.4.3p2 (TransactionAgents 5), trying
>>>> to set the Manager proxy role on a SkinScript results in:
>>>>
>>>> You are not authorized to change ... because you do not have
>>>> proxy roles.
>>>>
>>>> I thought we left this kind of nonsense behind a long time ago.
>>>> What's happening?
>>>
>>> this is just zope enforcing its security model, no nonsense about
>>> it. a user is not allowed to assign a proxy role to an object
>>> unless the user has that role himself. this catches people off
>>> guard when they're logged in as a Manager, and then they try to
>>> specify a proxy role of, say, Member, to some page template or
>>> python script (or skinscript ;-). zope will deny this action until
>>> the Manager user explicitly adds the Member role to his user object.
>>
>> Thanks, Rob, but... I got the Manager role, and I'm trying to give
>> the SkinScript the Manager proxy role. It should work. It works when
>> I give the Manager proxy role to other Zope objects, but not to a
>> SkinScript. Something is wrong with SkinScripts...
>>
>>
>>>> Also, in a SkinScript that catalogs changed objects, I tried to
>>>> avoid the need for the proxy role by giving my user role the
>>>> "Manage ZCatalog Entries" permission, which is the one protecting
>>>> uncatalog_object in ZCatalog, but I still get an access error on
>>>> uncatalog_object in:
>>>>
>>>> WHEN OBJECT CHANGED CALL
>>>>
>>>> Catalog.uncatalog_object(_.string.join(self.getPhysicalPath(),'/>>>> ')),
>>>> Catalog.catalog_object(self,
>>>> _.string.join(self.getPhysicalPath(),'/'))
>>>>
>>>> Can anyone think of a reason why the permission settings are being
>>>> ignored?
>>>
>>> this one i can't answer. i'm as curious as you are, actually...
>>> i've always resorted to proxy roles, myself, as you tried to do.
>>
>> This is really strange. I haven't done a lot of digging, but
>> something strange is definitely going on. The test user I'm using has
>> a role called "Scheduler" which has permissions to change application
>> objects as well as modify the Catalog. The fact that the Unauthorized
>> happens on the uncatalog_object call means that the attempt to modify
>> the object worked - so the role is applied correctly, but the
>> SkinScript gets executed without the permissions of this role.
>>
>> Disgusting. Annoying. Painful.
>>
>> _______________________________________________
>> ZPatterns mailing list
>> ZPatterns@eby-sarna.com
>> http://www.eby-sarna.com/mailman/listinfo/zpatterns