[Zope] Down-level user folder conflict

Alexander Staubo alex@mop.no
Tue, 27 Jul 1999 14:35:08 +0200


I have another interesting authorization failure problem (Zope 2.0.0b1).

Let's say I have folder called Restricted. Permissions for this folder
is restricted to users of a specific  privileged role called Editor.
Inside this folder I also have a standard user folder with one such
Editor user defined.

The problem arises when the user is viewing a document in the Restricted
folder, and the document is referring to objects -- such as images
through <img> tags -- from the _unrestricted_ part of the database.
It'll give "Unauthorized" on these objects no matter what. Remember that
these objects aren't restricted at all; the Anonymous role has full View
access.

My suspicion is that if the browser passes an authentication header that
does not match a valid user (known to the folder or any up-level folders
through acquisition; in my case the whole idea is that the user folder
is not visible from the part of the site that the browser passes an
authentication header to), then Zope will not revert to the anonymous
role, but will instead just block the user unconditionally.

If I move the user folder into the top-level folder, everything is
groovy.

Sounds like a bug, anybody care to comment before I bung it in the
Collector?

-- 
Alexander Staubo             http://www.mop.no/~alex/
"QED?" said Russell.
"It's Latin," said Morgan. "It means, So there you bastard."
--Robert Rankin, _Nostramadus Ate My Hamster_