subject:"\[Zope\] zope 2.7\: Unauthorized in this context"

Re: [Zope] zope 2.7: Unauthorized "in this context"

2005-06-16 Thread Dieter Maurer

John Hunter wrote at 2005-6-15 14:42 -0500:
> ...
>Dieter>   Thus, the primary problem is that "mentor" magically
>Dieter> does not have a "__roles__" attribute or (maybe) that it
>Dieter> was never expected to be accessed via the
>Dieter> "FactoryDispatcher".
>
>My classes are all defined through the old ZClass mechanism and I
>don't see any way to fix the problem on my end.  I've added these
>security assertions and roles when writing pure python products, but
>do not know how to do it with ZClasses (is it possible?)
>
>Is this a bug in my ZClasses or a zope bug?

I did not yet analyse how ZClass security works.

My ZClasses work but I still use Zope 2.7.2 and
several security tighening measures in 2.7.3 introduced a lot
of problems. Maybe, also for ZClasses...

In your product, you have an "mentor_add_permission"
and in the "Define permissions tab" of your mentor ZClass,
you map "Create class instances" to this (or another existing)
permission?


-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] zope 2.7: Unauthorized "in this context"

2005-06-15 Thread John Hunter

> "Dieter" == Dieter Maurer <[EMAIL PROTECTED]> writes:

Dieter> Note that this is only a hack!

Dieter>   All objects in the "FactoryDispatcher" should provide
Dieter> their own security declarations. Then, they would not
Dieter> depend on that of the container.

Dieter>   Thus, the primary problem is that "mentor" magically
Dieter> does not have a "__roles__" attribute or (maybe) that it
Dieter> was never expected to be accessed via the
Dieter> "FactoryDispatcher".

My classes are all defined through the old ZClass mechanism and I
don't see any way to fix the problem on my end.  I've added these
security assertions and roles when writing pure python products, but
do not know how to do it with ZClasses (is it possible?)

Is this a bug in my ZClasses or a zope bug?

Thanks!
JDH

Dieter> -- Dieter

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] zope 2.7: Unauthorized "in this context"

2005-06-15 Thread Dieter Maurer

John Hunter wrote at 2005-6-15 09:48 -0500:
> ...
>I installed VerboseSecurity and now get a more helpful error message
>in the log (to refresh your memory, this is a pure ZClass based
>product which stopped working on an upgrade to 2.7).  Here is the
>updated message
>
>  Exception Type   Unauthorized
>
>  Exception Value The container has no security assertions. Access to
>  'mentor' of (FactoryDispatcher instance at 40aeafb0) denied.
>
>I googled this error message and found this thread,
>http://www.gossamer-threads.com/lists/zope/users/176379.  You
>responded to the OP
> ...
>  It is true that a "FactoryDispatcher"
>  ("App.FactoryDispatcher.FactoryDispatcher") does not have security
>  assertions
> ...
>  You can try to add a "__role__ = None" and maybe a
>  "__allow_access_to_unprotected_subobjects__ = 1" to the
>  "FactoryDispatcher" class (--> "App/FactoryDispatcher.py") to see
>  whether the problem disappears.  These two attributes will provide
>  security assertions for the factory.

Note that this is only a hack!

  All objects in the "FactoryDispatcher" should provide their
  own security declarations. Then, they would not depend
  on that of the container.

  Thus, the primary problem is that "mentor" magically does
  not have a "__roles__" attribute or (maybe) that it was never
  expected to be accessed via the "FactoryDispatcher".

-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] zope 2.7: Unauthorized "in this context"

2005-06-15 Thread John Hunter

> "John" == John Hunter <[EMAIL PROTECTED]> writes:

John> I installed VerboseSecurity and now get a more helpful error
John> message in the log (to refresh your memory, this is a pure
John> ZClass based product which stopped working on an upgrade to
John> 2.7).  Here is the updated message

John>   Exception Type Unauthorized

John>   Exception Value The container has no security
John> assertions. Access to 'mentor' of (FactoryDispatcher
John> instance at 40aeafb0) denied.

OK, for the records, the following patch suggested by Dieter did in
fact fix this problem.  Thanks Dieter!

render:/usr/share/zope2.7/lib/python/App> diff -c FactoryDispatcher.py 
FactoryDispatcher.py.bak
*** FactoryDispatcher.py2005-06-15 10:01:07.0 -0500
--- FactoryDispatcher.py.bak2005-06-15 09:59:47.0 -0500
***
*** 42,49 
  """

  _owner=UnownableOwner
! __allow_access_to_unprotected_subobjects__=1
! __role__ = None
  def __init__(self, product, dest, REQUEST=None):
  if hasattr(product,'aq_base'): product=product.aq_base
  self._product=product
--- 42,48 
  """

  _owner=UnownableOwner
!
  def __init__(self, product, dest, REQUEST=None):
  if hasattr(product,'aq_base'): product=product.aq_base
  self._product=product


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] zope 2.7: Unauthorized "in this context"

2005-06-15 Thread John Hunter

> "Dieter" == Dieter Maurer <[EMAIL PROTECTED]> writes:

Dieter> John Hunter wrote at 2005-6-7 09:52 -0500:
>> ...  Traceback (innermost last): ...  URL:
>> 
http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_addForm/manage_main
>> Physical Path:/srp/2005/Sections/B1/Amrita
>> Arora/ProjectSubmission_addForm * Module
>> DocumentTemplate.DT_String, line 474, in __call__ * Module
>> DocumentTemplate.DT_With, line 76, in render
>> 
>> Unauthorized: You are not allowed to access 'mentor' in this
>> context

Dieter> The "VerboseSecurity" product may give you more detailed
Dieter> information.

Hi Dieter,

I installed VerboseSecurity and now get a more helpful error message
in the log (to refresh your memory, this is a pure ZClass based
product which stopped working on an upgrade to 2.7).  Here is the
updated message

  Exception TypeUnauthorized

  Exception Value The container has no security assertions. Access to
  'mentor' of (FactoryDispatcher instance at 40aeafb0) denied.

I googled this error message and found this thread,
http://www.gossamer-threads.com/lists/zope/users/176379.  You
responded to the OP

  > Unauthorized: The container has no security assertions. Access to
  > 'title_or_id' of (FactoryDispatcher instance at e68510)
  > denied. (Also,
  > an error occurred while attempting to render the standard error message.)

  This is very strange:

  It is true that a "FactoryDispatcher"
  ("App.FactoryDispatcher.FactoryDispatcher") does not have security
  assertions. But usually, it does not have a "title_or_id"
  either. Therefore, it should not be relevant with respect to
  "title_or_id" access that it lacks security assertions.

  Maybe, it is a bug introduced with the security tighening introduced
  in Zope 2.7.3 (there was some discussion about such a bug in the
  mailing list (zope-dev, I think)).

  You can try to add a "__role__ = None" and maybe a
  "__allow_access_to_unprotected_subobjects__ = 1" to the
  "FactoryDispatcher" class (--> "App/FactoryDispatcher.py") to see
  whether the problem disappears.  These two attributes will provide
  security assertions for the factory.

  Your "header/manage_main" DTML Method seems a bit strange, too.  Why
  does it use a "dtml-in" and in it a "dtml-with" and in it access to
  "title_or_id". This is somewhat unexpected in the add form of a
  ZClass.

But there was no followup.  Before I start hacking
App/FactoryDispatcher.py, I wanted to check in here and see if there
was a resolution to this problem, if this is a known bug with a fix,
etc.

Thanks!
JDH
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] zope 2.7: Unauthorized "in this context"

2005-06-08 Thread Dieter Maurer

John Hunter wrote at 2005-6-7 09:52 -0500:
> ...
>Traceback (innermost last):
> ...
>  URL: 
> http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_addForm/manage_main
>  Physical Path:/srp/2005/Sections/B1/Amrita 
> Arora/ProjectSubmission_addForm
>* Module DocumentTemplate.DT_String, line 474, in __call__
>* Module DocumentTemplate.DT_With, line 76, in render
>
>Unauthorized: You are not allowed to access 'mentor' in this context

The "VerboseSecurity" product may give you more detailed information.

I usually analyse such problems in an interactive Python interpreter.
Under *nix, you start it with "bin/zopectl debug" (for Windows,
a "*.bat" file has been posted --> mailing list archive).

You login in the interactive Python interpreter with

UF = app.acl_users # or some other user folder
u = UF.getUser('your_user') # what user you want)
from AccessControl.SecurityManagement import newSecurityUser
newSecurityUser(None, u.__of__UF)
# "u" is now logged in

You can check whether Zope thinks the current user can
access attribute "a" with value "v" from container "c" with

from AccessControl import getSecurityManager as gSM;
sm = gSM() # the security manager
sm.validate(c, c, a, v)

It will return "1" for access allowed, or 0 or an "Unauthorized"
exception (do not ask why) for access denied.

For attributes without their own security declarations (such
as properties), "validate" will consult "c.__roles__" (the
roles allowed to access "c")
and "c.__allow_access_to_unprotected_subobjects__".

-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] zope 2.7: Unauthorized "in this context"

2005-06-07 Thread John Hunter


I recently upgraded my zope server to 2.7 and a product I wrote which
makes heavy use of Z-Classes is now broken.  This is a workflow site
for a course, and there are Course, Section, Student,
ProjectSubmission, etc as ZClasses.  To view the page at all students
undergo basic authentication.  When students want to submit some
homework (the have the "Add Project Submissions" Class Permission)
they click on a link like the following for the ProjectSubmission add
form

http://myserver.com/Sections/S1/J%20Hunter/manage_addProduct/Course/ProjectSubmission_addForm?project_id=A%20Proj&student_id=J%20Hunter

Where "J Hunter" is the Student, "S1" is the Section and "A Proj" is
the ProjectSubmission.  This was working fine until the upgrade, the
link took them to the ProjectSubmission_addForm and they could add
their submission.  After the upgrade, now they get another
authentication dialog box and after reentering their username and
password, they get the dialog box again, and then if they hit cancel
they get (verbose info below)


Traceback (innermost last):

* Module ZPublisher.Publish, line 101, in publish
* Module ZPublisher.mapply, line 88, in mapply
* Module ZPublisher.Publish, line 39, in call_object
* Module OFS.DTMLMethod, line 130, in __call__
  
  URL: 
http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_addForm/manage_main
  Physical Path:/srp/2005/Sections/B1/Amrita Arora/ProjectSubmission_addForm
* Module DocumentTemplate.DT_String, line 474, in __call__
* Module DocumentTemplate.DT_With, line 76, in render

Unauthorized: You are not allowed to access 'mentor' in this context


"mentor" is a field in the StudentPropertySheet.
 
Interestingly, the same result occurs even if I enter a manager or
site-root username/password in the authentication dialog box.

I googled for the error message and found

  http://mail.zope.org/pipermail/zope-dev/2004-January/021501.html

Based on my read of this, I tried adding the "Manager" proxy role to
ProjectSubmission_addForm but this did not help.

Any ideas?  The add form and the verbose traceback are included below.
As I say, all was working fine until a server upgrade so I suspect
there is a recent zope feature that I am not handling properly.


Thanks,
JDH

Here is  DTML Method ProjectSubmission_addForm


 -*- mode: dtml; dtml-top-element: "body" -*- 



  
>

  




  >Email
  





  >Mentor
  



  >Mentor email
  




  >File
  



>Title:



 
>Synopsis:








  
Note:hidden must come last, right before the  tag
  
  
  

   
 name="remote_address" >


   












Time2005/06/07 09:54:55 GMT-5
User Name (User Id) student (student)
Request URL 
http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduct/Course/ProjectSubmission_addForm
Exception Type  Unauthorized
Exception Value You are not allowed to access 'mentor' in this context

Traceback (innermost last):

* Module ZPublisher.Publish, line 101, in publish
* Module ZPublisher.mapply, line 88, in mapply
* Module ZPublisher.Publish, line 39, in call_object
* Module OFS.DTMLMethod, line 130, in __call__
  
  URL: 
http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/ProjectSubmission_addForm/manage_main
  Physical Path:/srp/jdh/Sections/S1/J Hunter/ProjectSubmission_addForm
* Module DocumentTemplate.DT_String, line 474, in __call__
* Module DocumentTemplate.DT_With, line 76, in render

Unauthorized: You are not allowed to access 'mentor' in this context

Display traceback as text

REQUEST
form
student_id  'J Hunter'
project_id  'A Proj'
cookies
tree-s  
'eJzTyCkw5NLIKTDiClZ3hANPW3WuAmOuRKCECUjWFEU2EiRrBpY1B8laoMimg2QtwbKGBiBpQ0MkeeMgV5C8oRFXIhiA5I2R5bNDwfImEANMwQaYIRQ4hbnngxWYQw3QAwBNLzCv'
__cp
'x%DA%D3%60b%60%60%C8%04b%86hF%20%A1%C1%02%24%8AA%DCbf%10QTP%0C%121200-%E6%03%09d%96%A4%C6%17%24%16%25%E6%16%C7%17T%02%00%D9w%0A%F9'
_ZopeId '88234626A13Ni1oME3c'
lazy items
SESSION >
other
URL5'http://bace.bsd.uchicago.edu/srp/jdh/Sections'
URL4'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1'
URL7'http://bace.bsd.uchicago.edu/srp'
URL6'http://bace.bsd.uchicago.edu/srp/jdh'
URL3'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter'
URL2
'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduct'
URL8'http://bace.bsd.uchicago.edu'
AUTHENTICATED_USER  student
SERVER_URL  'http://bace.bsd.uchicago.edu'
AUTHENTICATION_PATH 'srp/jdh'
URL 
'http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduct/Course/ProjectSubmission_addForm'
BASE9   
'http://bace.bsd.uchicago.edu/srp/jdh/Se

Re: [Zope] zope 2.7: Unauthorized "in this context"

Re: [Zope] zope 2.7: Unauthorized "in this context"

Re: [Zope] zope 2.7: Unauthorized "in this context"

Re: [Zope] zope 2.7: Unauthorized "in this context"

Re: [Zope] zope 2.7: Unauthorized "in this context"

Re: [Zope] zope 2.7: Unauthorized "in this context"

[Zope] zope 2.7: Unauthorized "in this context"

7 matches

Site Navigation

Mail list logo

Footer information