[Zope] Re: Little explanation
Tres Seaver
tseaver at zope.com
Wed Oct 13 09:28:33 EDT 2004
bruno modulix wrote:
> Sébastien Vinot wrote:
>
>> Continuing to investigate my problem
>
>
> Which is ?-)
>
>> I get now this error " You are not
>> allowed to access 'aq_inner' in this context " for one specific user.
>>
>> I've read that aq_inner is the aquisition system : how is it possible
>> not to have rights on it ?
>
>
> UTSL !-)
>
> AFAIK, aq_self, aq_parent, aq_inner, etc, are under control of the
> security mechansim and are not accessible from the 'restricted'
> environment (scripts, ZPT, DTML etc.). You can only use'em from Products
> or External Methods.
>
Actually, the ZopeSecurity policy normally prohibits accessfrom
untrusted code to any acquisition methods *except* 'aq_parent',
'aq_inner', and 'aq_explicit' (search
$ZOPE_HOME/lib/python/AccessControl/ImplPython.py for 'valid_aq').
The exceptions then go through the "normal" validation process.
Try adding Shane Hathaway's VerboseSecurity product to your Zope (while
debugging such issues); it often gives you many more clues to what
triggers and Unauthorized exception:
http://hathawaymix.org/Software/VerboseSecurity
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope
mailing list