[Zope-dev] Security-Problem

Tue, 18 Feb 2003 23:01:33 +0100

Andre Schubert wrote at 2003-2-18 15:16 +0100:
 > ...
 > Error Type: Unauthorized
 > Error Value: The owner of the executing script does not have the required permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles ['Authenticated', 'Owner'].
 > 
 > I try to explain what happens.
 > Lets say i have a user called foo who has Manager-Roles across a Zope-site.
 > foo has added 2 DTMLMethods to a folder called bar and foobar.
 > foobar is called from inside bar (<dtml-call foobar>).
 > He also created a Role MSAdmin.
 > bar is accessible and visible by Anonymous Users.
 > foobar is accessible and visible by MSAdmin and Manager.
 > If i view bar and login as a user with MSAdmin-Roles everything works fine.
 > But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error.

That is precisely, as it should be.

You may consider to take ownership of your executing script and
give it to a user with role "MSAdmin".

Dieter