[Zope-dev] Re: 2.7rc1 - Unauthorized: You are not allowed to access '' in this context

Tue, 20 Jan 2004 08:38:04 -0800

Stuart Bishop wrote: 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


In Shared.DC.Scripts.Bindings._getContext(self), there
seems to be a new security check:
    getSecurityManager().validate(parent, container, '', self)

This is now giving me the following traceback:

Traceback (innermost last):
Module ZPublisher.Publish, line 100, in publish
Module ZPublisher.mapply, line 88, in mapply
Module ZPublisher.Publish, line 40, in call_object
Module Products.CGPublisher.storage.Storage, line 911, in editPane
Module Shared.DC.Scripts.Bindings, line 261, in __call__
Module Shared.DC.Scripts.Bindings, line 292, in _bindAndExec
Module Products.PageTemplates.PageTemplateFile, line 106, in _exec
Module Products.PageTemplates.PageTemplate, line 90, in pt_render
- <PageTemplateFile at /CGPublisher/works/2/5/source/getaway/details/editPaneHelper>
Module Products.PageTemplates.PageTemplateFile, line 74, in pt_getContext
Module Shared.DC.Scripts.Bindings, line 224, in _getContext
Module AccessControl.ImplPython, line 398, in validate
Module AccessControl.ImplPython, line 263, in validate
Unauthorized: You are not allowed to access '' in this context


editPaneHelper is just a PageTemplateFile. Storage.editPane
(Python - not Python Script) is calling it like:
    return self.editPaneHelper(**options)


Can anyone give me a hint on tracking this down? I have so far been
unable to write a minimal example that fails (they all work), so I'm
unsure if this is a Zope problem or my problem.

Zope 2.6.3 added a new security check for untrusted code, to ensure that the "bindings" created (in particular, 'context' and 'container') weren't set up if the user didn't have access to the bound objects.

You can either:

  - On the template's "Bindings" tab, unbind the 'context' name
   (assuming that your template does not use either 'context' or 'here')

- Give the template a proxy role of 'Manager'.

Tres.
--
===============================================================
Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"       http://www.zope.com


_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to