[Zope] ZWiki RecentChanges don't work in Zope 2.2.x

Martijn Pieters mj@digicool.com
Mon, 25 Sep 2000 18:21:55 +0200 

On Mon, Sep 25, 2000 at 04:14:03PM +0100, Chris Withers wrote:
> ...you get an authorization error :-(
> 
> This is because this Wiki isn't (and shouldn't) be publicly viewable or
> editable.
> 
> So, Anonymous doesn't have 'View' permission on the folder. I've given
> Anonymous 'Access Contents Information', the usual nasty hack I had to
> do before, but now that just changes the error message :-S (it's in a PS
> below)
> 
> I guess the Interfaces Wiki does pretty much this, but RecentChanges
> works there. What tweaks to permissions and code have been made there?
> 
> This all stems from the fact that DTML in Wiki code _always_ executes
> with the Anonymous role. That's stoopid :-(
> Wouldn't it make more sense for it to execute with whatever Proxy Roles
> that Wiki Page has?
> I would code this myself, but I don't know how. Any ideas?
> 
> Any other thoughts about the problem?

I have seen the same problem; the getSize method isn't accessible to
RecentChanges, even though the Authenticated User has the View permission.
Only when you explicitly give Anonymous the View permission on the Folder
(or every individual ZWiki page), will RecentChanges render.

This is caused by specific 'safetybelting', implemented by Jim Fulton, to
mitigate the risks of ZWikis becoming an easy entry point for a Trojan
Horse attack. 

With the new security policy in Zope 2.2, this is no longer necessary, and
you can comment out the restriction. Just remove or comment out the
'validate' method in the file Products/ZWiki/ZWikiPage.py and restart your
Zope server. Note that on a pre-2.2 server, this means that any DTML code
executed in a ZWiki page will be executed with the rights of the viewer!

If you still have problems, make sure that the Owner of the RecentChanges
object has rights to 'View' the ZWiki pages.

The Interfaces Wiki (and all other Zope.org Wikis) allow Anonymous to
View, only Editing and Adding new Wiki pages is restricted.

-- 
Martijn Pieters
| Software Engineer  mailto:mj@digicool.com
| Digital Creations  http://www.digicool.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------