[Zope] Strange behaviour on authorization

Jarkko Veijalainen Jarkko.Veijalainen@tecnomen.fi
Mon, 21 Aug 2000 10:17:03 +0300


now, i have defined same owner to every document in that folder, but it
did'nt help me.

I cranked litle bit my pages and discovered little more where is the
problem. Problem isn't POSTING data, it's the return value that Zope doesn't
want to publish.

<clip>

<font face="Verdana, Arial" color="#ffffff">
<dtml-let resDTML="Imap('Authentication',REQUEST,1)">
<h2>User <dtml-var "resDTML.cn"> <dtml-var title_or_id></h2>
</font>

<FORM ACTION="email_headers" METHOD="POST" >

</TD><TD><font color="#000000" face="Verdana, Arial, Helvetica"
size="1"><dtml-var "resDTML.account">&nbsp; </TD>

</clip>


Problem tag is <dtml-var "resDTML.cn"> that that causes following traceback,
when i remove this tag. Traceback bugs me about Unauthorized: account, which
is 2nd value from external methods returned object resDTML.
So problem is publishing contest of resDTML called in <DTML-LET>-tags. This
don't make any sense if i have to validate every return value from external
method, it's just unacceptable. In external method, i have simple class and
instance of that class is return value of method. I repeat this again, ALL
THIS THINGS DID work with Zope 2.1.6. How can i fix this?


Traceback (innermost last):
    File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 222,
in publish_module
    File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 187,
in publish
    File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 171,
in publish
    File /usr/local/Zope-2.2.0/lib/python/ZPublisher/mapply.py, line 160, in
mapply
      (Object: email_accounts)
    File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 112,
in call_object
      (Object: email_accounts)
    File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLDocument.py, line 171, in
__call__
      (Object: email_accounts)
    File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_String.py,
line 502, in __call__
      (Object: email_accounts)
    File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Let.py, line
147, in render
      (Object: resDTML="Imap('Authentication',REQUEST,1)")
    File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
337, in eval
      (Object: resDTML.cn)
      (Info: resDTML)
    File <string>, line 0, in ?
    File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
142, in careful_getattr
    File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLMethod.py, line 194, in
validate
      (Object: email_accounts)
    File /usr/local/Zope-2.2.0/lib/python/AccessControl/SecurityManager.py,
line 139, in validate
    File
/usr/local/Zope-2.2.0/lib/python/AccessControl/ZopeSecurityPolicy.py, line
159, in validate
  Unauthorized: cn

	jarkkov


> try so POST data to email_headers with login form, popups Authorization
> failed window. I have tried to use my manager and superuser name and same
> values that i submitted, but nothing is accepted to auth. window.
...
> so i have authenticated user and i still can't login. All these documents
> work like they're supposed to in Zope 2.1.6, but not anymore when i
> installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate
> 'cn', which is value that i submit to another document.
>
> What went wrong here and how i fix this problem?

Aha, it worked in 2.1.6 eh? That's the tip off. A *major* change between
2.1.x and 2.2.x is in the security dept. 2.2.x runs all methods using the
security level of the _owner_ of the method, regardless of whether this is a
lower or higher level than the currently authenticated user. My guess is
that your method has no owner (which is what pre-2.2.x objects default to
when run under 2.2.x). This means it is running as anonymous which does not
have rights to do what you want. Specify an owner for the method that has
sufficient rights to do what you want and try it again.