[Zope-dev] fixing security problems HOW?

Dieter Maurer dieter@handshake.de
Wed, 29 Nov 2000 00:16:43 +0100 (CET)


Robin Becker writes:
 > How can I find out exactly what is causing my security permissioning to
 > fail.
 > 
 > I have put extra stuff into ZPublisher\BaseRequest.py at line 463 so I
 > know that I'm failing on
 > 
 > UnauthorizedYou are not authorized to access this resource.
 > URL='http://192.168.0.4:7080/live/index_html' No Authorization header
 > found.
 > 
 > I am an anonymous user. Even when I make /live have the same permissions
 > as the manager I can't make it work. index_html is a dtml method of the
 > class of which live is an instance.
 > 
 > How can I figure out what is blocking the anonymous access.
The URL traversal in "ZPublisher.BaseRequest.traverse"
led to a "roles" assignment with a non-"None" value.
This triggers authentication checking.
Annonymous did not have one of the necessary roles.

I would probably check, what "roles" are determined during
traversal.

Apparently, your "live" is a Z instance.
It is quite easy to forget the ZClass permission mapping
(or get it wrong). This may lead to strange permission
problems.


Dieter