[ZPatterns] Can't set proxy roles for SkinScript
Itai Tavor
itai@iinet.net.au
Wed, 8 Jan 2003 16:53:29 +1100
Hi Steve,
Beautimous! Excellent work, Steve. It solves the problem. Well, the
first one, at least. I can assign proxy roles now. I'd still like to
know why giving the user the Change Catalog permission doesn't help...
BTW, I'm not using LoginManager in this application, I got bitten by it
too many times - so this problem is not LM related.
On Wednesday, January 8, 2003, at 04:19 PM, Steve Spicklemire wrote:
> Hi Itai,
>
> Can you see if this helps?
>
> [vh10-48:~/client2/Products/ZPatterns] steve% cvs diff Proxy.py
> Index: Proxy.py
> ===================================================================
> RCS file: /cvsroot/zpatterns/ZPatterns/Proxy.py,v
> retrieving revision 1.1.1.1
> diff -r1.1.1.1 Proxy.py
> 26c26
> < user=user.hasRole
> ---
> > user=user.has_role
> 28c28
> < if r and not user(self, (r,)):
> ---
> > if r and not user((r,), self):
>
>
> -steve
>
> On Tuesday, January 7, 2003, at 11:57 PM, Steve Spicklemire wrote:
>
>>
>> This sounds a bit like problems I'm seen in LoginManager where
>> various bits of skinscript get executing at different points in the
>> transaction, where permissions are changing along the way. I'll try
>> to reproduce this.. and poke a bit.
>>
>> -steve
>>
>> On Tuesday, January 7, 2003, at 11:38 PM, Itai Tavor wrote:
>>
>>> On Wednesday, January 8, 2003, at 02:48 PM, Rob Miller wrote:
>>>
>>>> On Tuesday, January 7, 2003, at 05:37 PM, Itai Tavor wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> In Zope 2.5.1 with ZPatterns 0.4.3p2 (TransactionAgents 5), trying
>>>>> to set the Manager proxy role on a SkinScript results in:
>>>>>
>>>>> You are not authorized to change ... because you do not have
>>>>> proxy roles.
>>>>>
>>>>> I thought we left this kind of nonsense behind a long time ago.
>>>>> What's happening?
>>>>
>>>> this is just zope enforcing its security model, no nonsense about
>>>> it. a user is not allowed to assign a proxy role to an object
>>>> unless the user has that role himself. this catches people off
>>>> guard when they're logged in as a Manager, and then they try to
>>>> specify a proxy role of, say, Member, to some page template or
>>>> python script (or skinscript ;-). zope will deny this action until
>>>> the Manager user explicitly adds the Member role to his user >>>> object.
>>>
>>> Thanks, Rob, but... I got the Manager role, and I'm trying to give
>>> the SkinScript the Manager proxy role. It should work. It works when
>>> I give the Manager proxy role to other Zope objects, but not to a
>>> SkinScript. Something is wrong with SkinScripts...
>>>
>>>
>>>>> Also, in a SkinScript that catalogs changed objects, I tried to
>>>>> avoid the need for the proxy role by giving my user role the
>>>>> "Manage ZCatalog Entries" permission, which is the one protecting
>>>>> uncatalog_object in ZCatalog, but I still get an access error on
>>>>> uncatalog_object in:
>>>>>
>>>>> WHEN OBJECT CHANGED CALL
>>>>>
>>>>> Catalog.uncatalog_object(_.string.join(self.getPhysicalPath(),'/
>>>>> >>>> ')),
>>>>> Catalog.catalog_object(self,
>>>>> _.string.join(self.getPhysicalPath(),'/'))
>>>>>
>>>>> Can anyone think of a reason why the permission settings are being
>>>>> ignored?
>>>>
>>>> this one i can't answer. i'm as curious as you are, actually...
>>>> i've always resorted to proxy roles, myself, as you tried to do.
>>>
>>> This is really strange. I haven't done a lot of digging, but
>>> something strange is definitely going on. The test user I'm using
>>> has a role called "Scheduler" which has permissions to change
>>> application objects as well as modify the Catalog. The fact that the
>>> Unauthorized happens on the uncatalog_object call means that the
>>> attempt to modify the object worked - so the role is applied
>>> correctly, but the SkinScript gets executed without the permissions
>>> of this role.
>>>
>>> Disgusting. Annoying. Painful.
>>>
>>> _______________________________________________
>>> ZPatterns mailing list
>>> ZPatterns@eby-sarna.com
>>> http://www.eby-sarna.com/mailman/listinfo/zpatterns
>
>