[Zope-dev] fixing security problems HOW?

[Robin Becker]

In article <14884.15579.573102.28509@lindm.dm>, Dieter Maurer
<dieter@handshake.de> writes
>Robin Becker writes:
> > How can I find out exactly what is causing my security permissioning to
> > fail.
> > 
> > I have put extra stuff into ZPublisher\BaseRequest.py at line 463 so I
> > know that I'm failing on
> > 
> > UnauthorizedYou are not authorized to access this resource.
> > URL='http://192.168.0.4:7080/live/index_html' No Authorization header
> > found.
> > 
> > I am an anonymous user. Even when I make /live have the same permissions
> > as the manager I can't make it work. index_html is a dtml method of the
> > class of which live is an instance.
> > 
> > How can I figure out what is blocking the anonymous access.
>The URL traversal in "ZPublisher.BaseRequest.traverse"
>led to a "roles" assignment with a non-"None" value.
>This triggers authentication checking.
>Annonymous did not have one of the necessary roles.
>
>I would probably check, what "roles" are determined during
>traversal.
>
>Apparently, your "live" is a Z instance.
>It is quite easy to forget the ZClass permission mapping
>(or get it wrong). This may lead to strange permission
>problems.
Which ZClass permission mapping? Anonymous seems to be able to 'view'.

The 'Manager' role can log in and do stuff, but even when I change the
permissions of Anonymous to be completely the same as for Manager I
don't get the same behaviour; ie anonymous is being asked to log in?

The problem I suppose is that /live/index_html is really a permission of
/live and I guess the permissions determining access etc are really in /
the object which cannot be traversed to :) 
-- 
Robin Becker