[Zope-dev] New security model and products breaking zope management

R. David Murray bitz@bitdance.com
Mon, 26 Jun 2000 16:21:46 -0400 (EDT)


OK, I've stared at this for a couple days and have not made any progress.
Perhaps others will have some insights.

Zope 2.2.0b2, clean install.  Works fine.  Add EMarket.  Now the
management is broken.  Accessing the base URL of the site with
/manage_main appended gives you the file list view of the root
folder, with no prompt for authentication.  Accessing /manage
prompts for a login, but the right panel view is the import/export
screen and not the folder list.  There's other weird stuff, like
a key error on "a_", which appears to be temporary variable used
in one of the DTML management pages.

I've read Brian's 2.2 product security update, and it looks to me like
EMarket is Doing the Right Thing (though I haven't checked completely for
unprotected methods yet), which makes sense since it was a working
product <grin>.

I have a private report that eTailor also has this problem, but haven't
tested it myself.  There was another 2.2.0b2 bug report on the mailing
list recently that gave similar problem symptoms (import/export screen
in management) that also looks to be the result of an installed product.
No report as to which product yet.

So, what could a product be doing that would cause the management
interface to break like this?  It seems like it must be munging
the permission list for folders.  I do see a place where EMarket
is copying stuff from Folder, but it takes care to *copy* the
one data structure that it actually changes.  Still, could the
fact that other stuff is referenced directly be interacting with
the new security system somehow?

I'm about to start running experiments to see if I can figure out
what in the code is causing the problem, but I feel like I'm groping
in the dark so far.  Any clues or research suggestions greatfully
accepted.

--RDM