[EMAIL PROTECTED] wrote on 08/10/2006 02:02:28 PM: > Vangelis Mihalopoulos wrote at 2006-8-10 10:58 +0300: > >I have a zope app in a folder and have an exUserFolder in there to > >authenticate the app's users. The app is working fine and i get > >authenticated by the exUserFolder and everything works. I tried to > >delete the single "admin" account (with Manager privileges) from the > >root standard user folder and the app breaks with: > > > >Unauthorized: You are not allowed to access 'call_backend' in this context > > > >where 'call_backend' is an External Method called by a Python Script. > >All objects in zope are owned by the "admin". Could this be causing the
> >problem? > > Others already answered "yes". > > I just would like to add that this is due to the "executable owner" > feature, introduced in Zope 2.2 to make Trojan horse attacks much > more difficult. You may still be able to find the corresponding > documentation (maybe even in the Zope Book (2.7 edition on "Plope.org"). > > I would also add. It is usually a real good idea to put only admin users in the root folder anyway. This gives you additional protection from several problems: it makes database connection methods much harder to see, it protects you from bugs in add-on acl_user products, it keeps people from doing things like adding a siteroot to your root folder, and it keeps people out of the Control_Panel. The only thing that I can imagine that you would want non admins to have access to in the root folder is the error_log. In a large organization, I could see that you would want programmers who do not have admin rights to be able to see it. That might take some special handling, but I suspect that you could use a proxy role or even just set its access to Anonymous (although that may lead to unintended information leakage). jim penny > > -- > Dieter > _______________________________________________ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )