[ZPatterns] Can't set proxy roles for SkinScript

Steve Spicklemire steve@spvi.com
Wed, 8 Jan 2003 01:05:10 -0500 

Hi Itai,


On Wednesday, January 8, 2003, at 12:53  AM, Itai Tavor wrote:

> Hi Steve,
>
> Beautimous! Excellent work, Steve. It solves the problem. Well, the  
> first one, at least. I can assign proxy roles now. I'd still like to  
> know why giving the user the Change Catalog permission doesn't help...


I'm guessing that the change is triggered at a point when the user's  
roles aren't available.. or it could be similar to the Proxy situation,  
where  the evolving security API (hasRole( object, roles) -> has_role(  
roles, object)) makes working code, stop working. ;-(

When I get a chance, I'll take a peek at that.

Does anyone know when 'hasRole' was deprecated? How should we modify  
Proxy.py to make it backward compatible? Or should we just march onward  
and not worry? ;-)

> BTW, I'm not using LoginManager in this application, I got bitten by  
> it too many times - so this problem is not LM related.

LoginManager can be subtle ;-). I like it, mostly because it's so durn  
flexible, but that can also make it's operation delicate.

take care,
-steve

>
>
> On Wednesday, January 8, 2003, at 04:19 PM, Steve Spicklemire wrote:
>
>> Hi Itai,
>>
>> Can you see if this helps?
>>
>> [vh10-48:~/client2/Products/ZPatterns] steve% cvs diff Proxy.py
>> Index: Proxy.py
>> ===================================================================
>> RCS file: /cvsroot/zpatterns/ZPatterns/Proxy.py,v
>> retrieving revision 1.1.1.1
>> diff -r1.1.1.1 Proxy.py
>> 26c26
>> <         user=user.hasRole
>> ---
>> >         user=user.has_role
>> 28c28
>> <             if r and not user(self, (r,)):
>> ---
>> >             if r and not user((r,), self):
>>
>>
>> -steve
>>
>> On Tuesday, January 7, 2003, at 11:57  PM, Steve Spicklemire wrote:
>>
>>>
>>> This sounds a bit like problems I'm seen in LoginManager where  
>>> various bits of skinscript get executing at different points in the  
>>> transaction, where permissions are changing along the way. I'll try  
>>> to reproduce this.. and poke a bit.
>>>
>>> -steve
>>>
>>> On Tuesday, January 7, 2003, at 11:38  PM, Itai Tavor wrote:
>>>
>>>> On Wednesday, January 8, 2003, at 02:48 PM, Rob Miller wrote:
>>>>
>>>>> On Tuesday, January 7, 2003, at 05:37 PM, Itai Tavor wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> In Zope 2.5.1 with ZPatterns 0.4.3p2 (TransactionAgents 5),  
>>>>>> trying to set the Manager proxy role on a SkinScript results in:
>>>>>>
>>>>>>    You are not authorized to change ... because you do not have  
>>>>>> proxy roles.
>>>>>>
>>>>>> I thought we left this kind of nonsense behind a long time ago.  
>>>>>> What's happening?
>>>>>
>>>>> this is just zope enforcing its security model, no nonsense about  
>>>>> it.  a user is not allowed to assign a proxy role to an object  
>>>>> unless the user has that role himself.  this catches people off  
>>>>> guard when they're logged in as a Manager, and then they try to  
>>>>> specify a proxy role of, say, Member, to some page template or  
>>>>> python script (or skinscript ;-).  zope will deny this action  
>>>>> until the Manager user explicitly adds the Member role to his user  
>>>>> >>>> object.
>>>>
>>>> Thanks, Rob, but... I got the Manager role, and I'm trying to give  
>>>> the SkinScript the Manager proxy role. It should work. It works  
>>>> when I give the Manager proxy role to other Zope objects, but not  
>>>> to a SkinScript. Something is wrong with SkinScripts...
>>>>
>>>>
>>>>>> Also, in a SkinScript that catalogs changed objects, I tried to  
>>>>>> avoid the need for the proxy role by giving my user role the  
>>>>>> "Manage ZCatalog Entries" permission, which is the one protecting  
>>>>>> uncatalog_object in ZCatalog, but I still get an access error on  
>>>>>> uncatalog_object in:
>>>>>>
>>>>>> WHEN OBJECT CHANGED CALL
>>>>>>    
>>>>>> Catalog.uncatalog_object(_.string.join(self.getPhysicalPath(),'/ 
>>>>>> >>>> ')),
>>>>>>   Catalog.catalog_object(self,  
>>>>>> _.string.join(self.getPhysicalPath(),'/'))
>>>>>>
>>>>>> Can anyone think of a reason why the permission settings are  
>>>>>> being ignored?
>>>>>
>>>>> this one i can't answer.  i'm as curious as you are, actually...  
>>>>> i've always resorted to proxy roles, myself, as you tried to do.
>>>>
>>>> This is really strange. I haven't done a lot of digging, but  
>>>> something strange is definitely going on. The test user I'm using  
>>>> has a role called "Scheduler" which has permissions to change  
>>>> application objects as well as modify the Catalog. The fact that  
>>>> the Unauthorized happens on the uncatalog_object call means that  
>>>> the attempt to modify the object worked - so the role is applied  
>>>> correctly, but the SkinScript gets executed without the permissions  
>>>> of this role.
>>>>
>>>> Disgusting. Annoying. Painful.
>>>>
>>>> _______________________________________________
>>>> ZPatterns mailing list
>>>> ZPatterns@eby-sarna.com
>>>> http://www.eby-sarna.com/mailman/listinfo/zpatterns
>>
>>