[Zope] Can't edit ZPT through WebDAV or FTP when not a manager

Joel Burton joel@joelburton.com
Fri, 22 Feb 2002 23:41:07 -0500 (EST)


Posted this a few days ago, but haven't received any ideas. Can anyone
confirm that they *can* edit ZPTs with WebDAV/FTP as a non-manager with
Zope 2.5? I'm willing to dig into the source if I can find get some input
on how specific the problem is to versions, setup, etc.

--

Synopsis:

A highly-privileged non-manager user can edit all content types through
WebDAV or FTP *except* PageTemplates. If user is changed to a manager,
they can now edit PageTemplates through WebDAV/FTP.


Demonstration/Walkthrough:

1) in folder "/foo", create local role "test"

2) in "/foo", give role "test" *all* permissions
   (in theory, this person would only need a few privileges; to remove
    any possibility that we're guessing the wrong privileges, select
    them all)

3) add user "bob" w/role=test

4) create a ZPT document "test.pt" in "/foo"

5) create a DTML DOcument "test.dtml" in "/foo"

5) see that bob can edit both documents using ZMI w/o problem.
   (therefore, it's not privileges per se that's causing the problem)

6) see that using WebDAV/FTP, bob can edit "test.dtml"
   (therefore, it's not WebDAV setup per se that's causing the problem)

7) see that using WebDAV/FTP, bob *cannot* edit "test.pt" (!)

8) add manager role to bob

9) now bob can edit "test.pt" through WebDAV/FTP
   (therefore, it's not simply ZPT+WebDAV that's causing the problem)

Notes:

I've tried FTP and 3 WebDAV clients (cadaver, WebDrive, Dreamweaver); all
return an unauthorized message.

This isn't a firewall, client, or locking problem: I can't do it from the
server using cadaver; I've tried different client machines; using cadaver,
I can't even GET the file (which makes no attempt to lock it.)

WebDAV editing of ZPT is a critical feature for my clients. I
can't give the editors "manager" role w/o opening huge security holes.

Using cadaver w/debug settings, I can get detail on the requests and
responses: the forbidden edit request (step #7 above) just re-requests
authentication twice and fails. Happy to send the cadaver log to anyone
who might find it helpful.


Can anyone edit ZPT through WebDAV or FTP with non-managers? Can anyone
shed any light on this problem?

-- 

Joel BURTON  |  joel@joelburton.com  |  joelburton.com  |  aim: wjoelburton
Independent Knowledge Management Consultant