[Zope] BUG? Non-manager can't edit ZPT with WebDAV or FTP; can with ZMI

Joel Burton joel@joelburton.com
Tue, 19 Feb 2002 12:50:27 -0500 (EST)


Synopsis:

A highly-privileged non-manager user can edit all content types through
WebDAV or FTP *except* PageTemplates. If user is changed to a manager,
they can now edit PageTemplates through WebDAV/FTP.


Demonstration/Walkthrough:

1) in folder "/foo", create local role "test"

2) in "/foo", give role "test" *all* permissions
   (in theory, this person would only need a few privileges; to remove
    any possibility that we're guessing the wrong privileges, select
    them all)

3) add user "bob" w/role=test

4) create a ZPT document "test.pt" in "/foo"

5) create a DTML DOcument "test.dtml" in "/foo"

5) see that bob can edit both documents using ZMI w/o problem.
   (therefore, it's not privileges per se that's causing the problem)

6) see that using WebDAV/FTP, bob can edit "test.dtml"
   (therefore, it's not WebDAV setup per se that's causing the problem)

7) see that using WebDAV/FTP, bob *cannot* edit "test.pt" (!)

8) add manager role to bob

9) now bob can edit "test.pt" through WebDAV/FTP
   (therefore, it's not simply ZPT+WebDAV that's causing the problem)

Notes:

I've tried FTP and 3 WebDAV clients (cadaver, WebDrive, Dreamweaver); all
return an unauthorized message.

This isn't a firewall, client, or locking problem: I can't do it from the
server using cadaver; I've tried different client machines; using cadaver,
I can't even GET the file (which makes no attempt to lock it.)

WebDAV editing of ZPT is a critical feature for my clients. I
can't give the editors "manager" role w/o opening huge security holes.

Using cadaver w/debug settings, I can get detail on the requests and
responses: the forbidden edit request (step #7 above) just re-requests
authentication twice and fails. Happy to send the cadaver log to anyone
who might find it helpful.


Can anyone edit ZPT through WebDAV or FTP with non-managers? Can anyone
shed any light on this problem?

I do read zpt@zope.org, but a cc to me directly would be appreciated.
Thanks in advance!

-- 

Joel BURTON  |  joel@joelburton.com  |  joelburton.com  |  aim: wjoelburton
Independent Knowledge Management Consultant