[Zope] Re: ZClasses and Permissions (Zope Collector 444)

Brent Hendricks brentmh@ece.rice.edu
Fri, 13 Sep 2002 08:28:04 -0500 

Dieter Maurer wrote:
>  > Digging into the 
>  > Zope code a bit, I discovered that manage_renameObjects falls under the 
>  > "View management screens" permission,
> Almost surely, your problem is not caused by a missing permission
> on "manage_renameObjects" itself, but inside "manage_pasteObjects".
> Cancel the browser login dialog and look at the traceback.
> Where does the exception come from?

Here's the last few lines:

     (Info: ({'script': <PythonScript instance at 8d4add0>, 'context': 
<RisaWorkgroup instance at 8fb22a0>, 'container': <RisaWorkgroup 
instance at 8fb22a0>, 'traverse_subpath': []}, (), {}, None))
   File Script (Python), line 17, in renameFiles
   File /usr/local/lib/zope/lib/python/OFS/CopySupport.py, line 286, in 
manage_renameObjects
     (Object: 192)
   File /usr/local/lib/zope/lib/python/OFS/CopySupport.py, line 301, in 
manage_renameObject
     (Object: 192)
   File /usr/local/lib/zope/lib/python/OFS/CopySupport.py, line 414, in 
_verifyObjectPaste
     (Object: 192)
Unauthorized: Add Documents, Images, and Files

It's not going through manage_pasteObjects, but the function that raises 
the error does appear to be _verifyObjectPaste (perhaps this is what you 
meant?)

> This may be able to map "View management screens" such that you can
> access "manage_renameObjects", but probably "manage_pasteObjects"
> still fails because the necessary permission (create permission)
> is checked on the target ObjectManager.

Gotcha.  Hence the "Unauthorized: Add Documents, Images, and Files."  In 
this case, the ObjectManager in question is an instance of my ZClass, 
which subclasses ZObjectManager.

It looks like _verifyObjectPaste is calling

getSecurityManager().checkPermission( mt_permission, self ), and this is 
failing.  Digging through the source code a bit, it doesn't look like 
checkPermission() check for proxy roles.  In fact, looking at the 
current CVS HEAD, there's even a comment to this effect:

"# XXX proxy roles and executable owner are not checked"

:(


--Brent

-------------------------------------------------------------------------

"The programmer, like the poet, works only slightly removed from pure
  thought-stuff.  He builds his castles in the air, from air, creating
  by exertion of the imagination.  Few media of creation are so
  flexible, so easy to polish and rework, so readily capable of
  realizing grand conceptual structures."
                         -- Frederick Brooks, Jr., The Mythical Man Month