Re: [Zope] zope 2.7: Unauthorized in this context
Dieter == Dieter Maurer [EMAIL PROTECTED] writes: Dieter John Hunter wrote at 2005-6-7 09:52 -0500: ... Traceback (innermost last): ... URL: http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_addForm/manage_main Physical Path:/srp/2005/Sections/B1/Amrita Arora/ProjectSubmission_addForm * Module DocumentTemplate.DT_String, line 474, in __call__ * Module DocumentTemplate.DT_With, line 76, in render Unauthorized: You are not allowed to access 'mentor' in this context Dieter The VerboseSecurity product may give you more detailed Dieter information. Hi Dieter, I installed VerboseSecurity and now get a more helpful error message in the log (to refresh your memory, this is a pure ZClass based product which stopped working on an upgrade to 2.7). Here is the updated message Exception TypeUnauthorized Exception Value The container has no security assertions. Access to 'mentor' of (FactoryDispatcher instance at 40aeafb0) denied. I googled this error message and found this thread, http://www.gossamer-threads.com/lists/zope/users/176379. You responded to the OP Unauthorized: The container has no security assertions. Access to 'title_or_id' of (FactoryDispatcher instance at e68510) denied. (Also, an error occurred while attempting to render the standard error message.) This is very strange: It is true that a FactoryDispatcher (App.FactoryDispatcher.FactoryDispatcher) does not have security assertions. But usually, it does not have a title_or_id either. Therefore, it should not be relevant with respect to title_or_id access that it lacks security assertions. Maybe, it is a bug introduced with the security tighening introduced in Zope 2.7.3 (there was some discussion about such a bug in the mailing list (zope-dev, I think)). You can try to add a __role__ = None and maybe a __allow_access_to_unprotected_subobjects__ = 1 to the FactoryDispatcher class (-- App/FactoryDispatcher.py) to see whether the problem disappears. These two attributes will provide security assertions for the factory. Your header/manage_main DTML Method seems a bit strange, too. Why does it use a dtml-in and in it a dtml-with and in it access to title_or_id. This is somewhat unexpected in the add form of a ZClass. But there was no followup. Before I start hacking App/FactoryDispatcher.py, I wanted to check in here and see if there was a resolution to this problem, if this is a known bug with a fix, etc. Thanks! JDH ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope 2.7: Unauthorized in this context
John == John Hunter [EMAIL PROTECTED] writes: John I installed VerboseSecurity and now get a more helpful error John message in the log (to refresh your memory, this is a pure John ZClass based product which stopped working on an upgrade to John 2.7). Here is the updated message John Exception Type Unauthorized John Exception Value The container has no security John assertions. Access to 'mentor' of (FactoryDispatcher John instance at 40aeafb0) denied. OK, for the records, the following patch suggested by Dieter did in fact fix this problem. Thanks Dieter! render:/usr/share/zope2.7/lib/python/App diff -c FactoryDispatcher.py FactoryDispatcher.py.bak *** FactoryDispatcher.py2005-06-15 10:01:07.0 -0500 --- FactoryDispatcher.py.bak2005-06-15 09:59:47.0 -0500 *** *** 42,49 _owner=UnownableOwner ! __allow_access_to_unprotected_subobjects__=1 ! __role__ = None def __init__(self, product, dest, REQUEST=None): if hasattr(product,'aq_base'): product=product.aq_base self._product=product --- 42,48 _owner=UnownableOwner ! def __init__(self, product, dest, REQUEST=None): if hasattr(product,'aq_base'): product=product.aq_base self._product=product ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope 2.7: Unauthorized in this context
Dieter == Dieter Maurer [EMAIL PROTECTED] writes: Dieter Note that this is only a hack! Dieter All objects in the FactoryDispatcher should provide Dieter their own security declarations. Then, they would not Dieter depend on that of the container. Dieter Thus, the primary problem is that mentor magically Dieter does not have a __roles__ attribute or (maybe) that it Dieter was never expected to be accessed via the Dieter FactoryDispatcher. My classes are all defined through the old ZClass mechanism and I don't see any way to fix the problem on my end. I've added these security assertions and roles when writing pure python products, but do not know how to do it with ZClasses (is it possible?) Is this a bug in my ZClasses or a zope bug? Thanks! JDH Dieter -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] zope 2.7: Unauthorized in this context
I recently upgraded my zope server to 2.7 and a product I wrote which makes heavy use of Z-Classes is now broken. This is a workflow site for a course, and there are Course, Section, Student, ProjectSubmission, etc as ZClasses. To view the page at all students undergo basic authentication. When students want to submit some homework (the have the Add Project Submissions Class Permission) they click on a link like the following for the ProjectSubmission add form http://myserver.com/Sections/S1/J%20Hunter/manage_addProduct/Course/ProjectSubmission_addForm?project_id=A%20Projstudent_id=J%20Hunter Where J Hunter is the Student, S1 is the Section and A Proj is the ProjectSubmission. This was working fine until the upgrade, the link took them to the ProjectSubmission_addForm and they could add their submission. After the upgrade, now they get another authentication dialog box and after reentering their username and password, they get the dialog box again, and then if they hit cancel they get (verbose info below) Traceback (innermost last): * Module ZPublisher.Publish, line 101, in publish * Module ZPublisher.mapply, line 88, in mapply * Module ZPublisher.Publish, line 39, in call_object * Module OFS.DTMLMethod, line 130, in __call__ DTMLMethod instance at 4128fef0 URL: http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_addForm/manage_main Physical Path:/srp/2005/Sections/B1/Amrita Arora/ProjectSubmission_addForm * Module DocumentTemplate.DT_String, line 474, in __call__ * Module DocumentTemplate.DT_With, line 76, in render Unauthorized: You are not allowed to access 'mentor' in this context mentor is a field in the StudentPropertySheet. Interestingly, the same result occurs even if I enter a manager or site-root username/password in the authentication dialog box. I googled for the error message and found http://mail.zope.org/pipermail/zope-dev/2004-January/021501.html Based on my read of this, I tried adding the Manager proxy role to ProjectSubmission_addForm but this did not help. Any ideas? The add form and the verbose traceback are included below. As I say, all was working fine until a server upgrade so I suspect there is a recent zope feature that I am not handling properly. Thanks, JDH Here is DTML Method ProjectSubmission_addForm dtml-comment -*- mode: dtml; dtml-top-element: body -*- /dtml-comment dtml-var standard_html_header dtml-with site_params_py mapping form action=ProjectSubmission_add_py method=post enctype=multipart/form-data table dtml-var form_table_params dtml-var form_table_header_dtml(_.None, _, caption='Enter project submission information', num_columns=2) dtml-comment tr th dtml-var form_table_thEmail/th tdinput size=50 name=email value=dtml-var email/td /tr /dtml-comment tr th dtml-var form_table_thMentor/th tdinput size=50 name=mentor value=dtml-var mentor/td /tr tr th dtml-var form_table_thMentor email/th tdinput size=50 name=mentor_email value=dtml-var mentor_email/td /tr tr th dtml-var form_table_thFile/th tdinput size=60 type=file name=file_data/td /tr tr th dtml-var form_table_thTitle:/th tdTEXTAREA WRAP=virtual NAME=submission_title ROWS=2 COLS=80 tabindex=1/TEXTAREA/td /tr tr th dtml-var form_table_thSynopsis:/th tdTEXTAREA WRAP=virtual NAME=description ROWS=10 COLS=80 tabindex=1/TEXTAREA/td /tr tr th colspan=2 align=center input type=submit value=Upload Submission/th /tr dtml-comment Note:hidden must come last, right before the /form tag /dtml-comment input type=hidden value=dtml-var project_id name=project_id input type=hidden value=dtml-var student_id name=student_id input type=hidden value=dtml-var REQUEST.get('REMOTE_ADDR') name=remote_address /form /table brbr /dtml-with brbr dtml-var standard_html_footer Time2005/06/07 09:54:55 GMT-5 User Name (User Id) student (student) Request URL http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduct/Course/ProjectSubmission_addForm Exception Type Unauthorized Exception Value You are not allowed to access 'mentor' in this context Traceback (innermost last): * Module ZPublisher.Publish, line 101, in publish * Module ZPublisher.mapply, line 88, in mapply * Module ZPublisher.Publish, line 39, in call_object * Module OFS.DTMLMethod, line 130, in __call__ DTMLMethod instance at 411fb740 URL: http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/ProjectSubmission_addForm/manage_main Physical Path:/srp/jdh/Sections/S1/J