Re: [Zope] Acquisition / proxying object
Joerg Baach wrote at 2008-2-25 19:45 +: ... I am trying to have a folderish object that acquires from a user object (ldapuserfolder). It should have its own properties and contents, but fall back to the ones of the ldap user. I have created an object, extending Folder, and it behaves nicely in zopectl debug. When I try to access it through e.g. a python script I get an: Error Type: Unauthorized Error Value: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied. When you access attribute x (with value xv) on object o, Zope will first check whether xv has security declarations (more precisely, a __roles__ attribute). If it has, they are used. Otherwise, Zope checks for o.x__roles__. If found, they are used. Otherwise, o.__roles__ may be examined (under some circumstances). Note that for most security declarations, o needs to be fully acquisition wrapped. Otherwise, there may be two problems: * Zope cannot find the information to map permissions to roles (as this mapping is defined on the acquisition path leading to the root) * o does is not covered by the user folder which has identified the current user. A user has only special roles on objects covered by its user folder. A object is covered by a user folder, when the object lies in the subtree rooted in the user folder's container. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Joerg Baach wrote at 2008-2-25 22:03 +: ... Error Type: Unauthorized Error Value: Your user account is defined outside the context of the object being accessed. This is a different spelling for what I called in the last message object not covered by the user folder identifying the current user. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
On Monday 25 February 2008 23:52:26 Joerg Baach wrote: Hi *, But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-) Mmm, after even more searching, and not understanding I found http://www.mail-archive.com/[EMAIL PROTECTED]/msg11438.html and changed my code to: def __of__(self, parent): '''foo''' if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.unrestrictedTraverse(folder) You're now doing no security checks on traversal, probably thats why you don't get any Unauthorized exceptions :-) - peter. remote = acl.getUser(id) return Acquisition.ImplicitAcquisitionWrapper(aq_base(self), aq_base(remote).__of__(parent)) Now, this actually seems to work. If only I knew why Cheers, Joerg ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Hi Peter, acl = parent.unrestrictedTraverse(folder) when changing to acl = parent.restrictedTraverse(folder) I still don't get the Unauthorized exceptions. Anyhow, I will have to do a bit more wrapping, and then see if the solutions survive the security testing ;-) Cheers, Joerg signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
This is maybe a naive suggestion but if Zope's TTW execution (e.g. Python Scripts) can't find a __roles__ on the object at hand doesn't that just mean that the class wasn't initialized with any security. class LDAPProxy(Folder): ... from Globals import InitializeClass InitializeClass(LDAPProxy) That should set the *__roles__ on all it's methods. Joerg Baach wrote: Hi *, I am trying to have a folderish object that acquires from a user object (ldapuserfolder). It should have its own properties and contents, but fall back to the ones of the ldap user. I have created an object, extending Folder, and it behaves nicely in zopectl debug. When I try to access it through e.g. a python script I get an: Error Type: Unauthorized Error Value: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied. I am sure its my lack of understanding of acquisition. I am trying to bascially put ldap user object 'on top' of the aquisition line (with the ldapproxy at the bottom), but obviously failing in doing so. Any ideas? Cheers, Joerg 8 excerpt from code --- class LDAPProxy(Folder): meta_type='LDAPProxy' def __init__(self, id, remoteid,title='',REQUEST=None): self.id = id self.title = title self.remoteid = remoteid def __of__(self, parent): if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.restrictedTraverse(folder) remote = acl.getUser(id) return Folder.__of__(self,parent.__of__(remote)) --- teststructure-- /testfolder/ ldapproxy (LDAPProxy) acl_users/ testscript (.py) 8 testscript - return context.ldapproxy.dn traceback-- Traceback (most recent call last): File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py, line 113, in publish request, bind=1) File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/mapply.py, line 88, in mapply if debug is not None: return debug(object,args,context) File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py, line 40, in call_object result=apply(object,args) # Type scr to step into published object. File /home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py, line 311, in __call__ return self._bindAndExec(args, kw, None) File /home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py, line 348, in _bindAndExec return self._exec(bound_data, args, kw) File /home/joerg/zope/Zope-2.8.5/lib/python/Products/PythonScripts/PythonScript.py, line 323, in _exec result = f(*args, **kw) File Script (Python), line 1, in testscript File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 727, in guarded_getattr aq_acquire(inst, name, aq_validate, validate) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 669, in aq_validate return validate(inst, object, name, v) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 563, in validate self._context) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 293, in validate accessed, container, name, value, context) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 808, in raiseVerbose raise Unauthorized(text) Unauthorized: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Peter Bengtsson, work www.fry-it.com home www.peterbe.com hobby www.issuetrackerproduct.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Acquisition / proxying object
Hi *, I am trying to have a folderish object that acquires from a user object (ldapuserfolder). It should have its own properties and contents, but fall back to the ones of the ldap user. I have created an object, extending Folder, and it behaves nicely in zopectl debug. When I try to access it through e.g. a python script I get an: Error Type: Unauthorized Error Value: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied. I am sure its my lack of understanding of acquisition. I am trying to bascially put ldap user object 'on top' of the aquisition line (with the ldapproxy at the bottom), but obviously failing in doing so. Any ideas? Cheers, Joerg 8 excerpt from code --- class LDAPProxy(Folder): meta_type='LDAPProxy' def __init__(self, id, remoteid,title='',REQUEST=None): self.id = id self.title = title self.remoteid = remoteid def __of__(self, parent): if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.restrictedTraverse(folder) remote = acl.getUser(id) return Folder.__of__(self,parent.__of__(remote)) --- teststructure-- /testfolder/ ldapproxy (LDAPProxy) acl_users/ testscript (.py) 8 testscript - return context.ldapproxy.dn traceback-- Traceback (most recent call last): File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py, line 113, in publish request, bind=1) File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/mapply.py, line 88, in mapply if debug is not None: return debug(object,args,context) File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py, line 40, in call_object result=apply(object,args) # Type scr to step into published object. File /home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py, line 311, in __call__ return self._bindAndExec(args, kw, None) File /home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py, line 348, in _bindAndExec return self._exec(bound_data, args, kw) File /home/joerg/zope/Zope-2.8.5/lib/python/Products/PythonScripts/PythonScript.py, line 323, in _exec result = f(*args, **kw) File Script (Python), line 1, in testscript File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 727, in guarded_getattr aq_acquire(inst, name, aq_validate, validate) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 669, in aq_validate return validate(inst, object, name, v) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 563, in validate self._context) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 293, in validate accessed, container, name, value, context) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 808, in raiseVerbose raise Unauthorized(text) Unauthorized: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied. signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
On Monday 25 February 2008 20:45:37 Joerg Baach wrote: Hi *, I am trying to have a folderish object that acquires from a user object (ldapuserfolder). It should have its own properties and contents, but fall back to the ones of the ldap user. I have created an object, extending Folder, and it behaves nicely in zopectl debug. When I try to access it through e.g. a python script I get an: Error Type: Unauthorized Error Value: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied. I am sure its my lack of understanding of acquisition. I am trying to bascially put ldap user object 'on top' of the aquisition line (with the ldapproxy at the bottom), but obviously failing in doing so. Any ideas? I'm not familiar with LDAPUserFolder (its not really a user object but a user container, isn't it?) but the error you're getting is a security error -- the Python Script checks for security attributes before it accesses attributes. You need to add the appropriate security declarations in your product before it can be used inside PyScript You might try the verbose-security directive in zope.conf to debug stuff like that; I hope it is available in the version of Zope you're running (I'm on 2.10) As a hack to disable all security checks on a class you can add the attribute __allow_access_to_unprotected_subobjects__ = 1 , effectively disabling security. This of course should only be done if you trust your users! hth peter. Cheers, Joerg 8 excerpt from code --- class LDAPProxy(Folder): meta_type='LDAPProxy' def __init__(self, id, remoteid,title='',REQUEST=None): self.id = id self.title = title self.remoteid = remoteid def __of__(self, parent): if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.restrictedTraverse(folder) remote = acl.getUser(id) return Folder.__of__(self,parent.__of__(remote)) --- teststructure-- /testfolder/ ldapproxy (LDAPProxy) acl_users/ testscript (.py) 8 testscript - return context.ldapproxy.dn traceback-- Traceback (most recent call last): File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py, line 113, in publish request, bind=1) File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/mapply.py, line 88, in mapply if debug is not None: return debug(object,args,context) File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py, line 40, in call_object result=apply(object,args) # Type scr to step into published object. File /home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py, line 311, in __call__ return self._bindAndExec(args, kw, None) File /home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py, line 348, in _bindAndExec return self._exec(bound_data, args, kw) File /home/joerg/zope/Zope-2.8.5/lib/python/Products/PythonScripts/PythonScript .py, line 323, in _exec result = f(*args, **kw) File Script (Python), line 1, in testscript File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 727, in guarded_getattr aq_acquire(inst, name, aq_validate, validate) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 669, in aq_validate return validate(inst, object, name, v) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 563, in validate self._context) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 293, in validate accessed, container, name, value, context) File /home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py, line 808, in raiseVerbose raise Unauthorized(text) Unauthorized: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Hi Peter, I'm not familiar with LDAPUserFolder (its not really a user object but a user container, isn't it?) but the error you're getting is a security error -- the Python Script checks for security attributes before it accesses attributes. You need to add the appropriate security declarations in your product before it can be used inside PyScript Well, even with: __allow_access_to_unprotected_subobjects__ = 1 I get the same error. VerboseSecurity is also on. :-( Cheers, Joerg signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that? Yes, I did. If yes, you should see lines like these in your event.log: No, don't :-( But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-) Cheers, Joerg signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
On Monday 25 February 2008 22:45:24 Joerg Baach wrote: I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that? Yes, I did. If yes, you should see lines like these in your event.log: No, don't :-( Strange... But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-) Yes, definitely. Its just with VerboseSecurity its easier to debug... Another option: put a debugger breakpoint (eg. import pdb; pdb.set_trace()) at the place where the Unauthorized exception is raised and inspect the objects peter. Cheers, Joerg ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
On Monday 25 February 2008 21:31:46 Joerg Baach wrote: Hi Peter, I'm not familiar with LDAPUserFolder (its not really a user object but a user container, isn't it?) but the error you're getting is a security error -- the Python Script checks for security attributes before it accesses attributes. You need to add the appropriate security declarations in your product before it can be used inside PyScript Well, even with: __allow_access_to_unprotected_subobjects__ = 1 I get the same error. VerboseSecurity is also on. :-( I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that? security-policy-implementation python in zope.conf If yes, you should see lines like these in your event.log: 2008-02-25T22:30:18 DEBUG ImplPython Unauthorized: Your user account does not have the required permission. Access to 'manage' of (Application at ) denied. Your user account, Anonymous User, exists at /acl_users. Access requires one of the following roles: ['Manager']. Your roles in this context are ['Anonymous']. peter. Cheers, Joerg ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
ps.: http://www.zope.org/Documentation/Books/ZDG/current/Security.stx has old but AFAIK still good info On Monday 25 February 2008 22:45:24 Joerg Baach wrote: I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that? Yes, I did. If yes, you should see lines like these in your event.log: No, don't :-( But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-) Cheers, Joerg ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Hi again, 2008-02-25T22:30:18 DEBUG ImplPython Unauthorized: Your user account does not have the required permission. Access to 'manage' of (Application at ) denied. Your user account, Anonymous User, exists at /acl_users. Access requires one of the following roles: ['Manager']. Your roles in this context are ['Anonymous']. Actually, if I change my code to something like: def __of__(self, parent): '''foo''' if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.restrictedTraverse(folder) remote = acl.getUser(id) self = Acquisition.ImplicitAcquisitionWrapper(self, remote) self = Acquisition.ImplicitAcquisitionWrapper(self, parent) return self (idea taken from http://www.mail-archive.com/[EMAIL PROTECTED]/msg11713.html) I get a Error Type: Unauthorized Error Value: Your user account is defined outside the context of the object being accessed. Access to 'ldapproxy' of (Folder at /testfolder) denied. Your user account, admin, exists at /acl_users. Access requires one of the following roles: ['Manager']. Well, admin has 'Manager'. /me scratches his head Cheers, Joerg signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Hi *, But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-) Mmm, after even more searching, and not understanding I found http://www.mail-archive.com/[EMAIL PROTECTED]/msg11438.html and changed my code to: def __of__(self, parent): '''foo''' if not hasattr(parent,'aq_base'): return self folder,id = self.remoteid.split(':') acl = parent.unrestrictedTraverse(folder) remote = acl.getUser(id) return Acquisition.ImplicitAcquisitionWrapper(aq_base(self), aq_base(remote).__of__(parent)) Now, this actually seems to work. If only I knew why Cheers, Joerg signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )