Re: [Remember Mailing List] Workflow problem with SVN version and 'new_private' workflow

[Rob Miller]

Jim Nelson wrote:
After getting my remember-based product working, I realized that their 
data was being exposed to the world.  After adding a workflow to the 
product se to default to 'new_private', the user profile was hidden, but 
users could not set their own passwords.

okay, the problem was that Plone has introduced some new views 
(@@plone_portal_state and @@plone_context_state) which are used whenever a 
TALES expression context is generated.  these views are protected by the View 
permission.  normally this is fine, but remember has edge cases where 
anonymous users really are supposed to be allowed to effect changes to 
content, such as when you're using the password reset machinery.

i've just made a commit to the remember trunk (r64675) which should resolve 
this issue.  please svn up and try it out.

note that there's also a similar (but not identical, alas) error when you try 
to use the regular password reset machinery on a member in the private state. 
 this commit does not fix that problem... i'll have to deal with that separately.

-r



I got the following error after turning on verbose security:

2008-05-07 13:23:46 ERROR Zope.SiteErrorLog 
http://aanamembertest.neteasyinc.com/pwreset_form
Traceback (innermost last):
  Module ZPublisher.Publish, line 119, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 42, in call_object
  Module Products.CMFFormController.FSControllerPageTemplate, line 90, 
in __call__
  Module Products.CMFFormController.BaseControllerPageTemplate, line 28, 
in _call
  Module Products.CMFFormController.ControllerBase, line 231, in getNext
  Module Products.CMFFormController.Actions.TraverseTo, line 38, in 
__call__
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 42, in call_object
  Module Products.CMFFormController.FSControllerPythonScript, line 104, 
in __call__
  Module Products.CMFFormController.Script, line 145, in __call__
  Module Products.CMFCore.FSPythonScript, line 140, in __call__
  Module Shared.DC.Scripts.Bindings, line 313, in __call__
  Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
  Module Products.CMFCore.FSPythonScript, line 196, in _exec
  Module None, line 6, in pwreset_action
   - <FSControllerPythonScript at /test/main/pwreset_action>
   - Line 6
  Module Products.PasswordResetTool.PasswordResetTool, line 151, in 
resetPassword
  Module Products.remember.content.member, line 325, in setMemberProperties
  Module Products.remember.content.member, line 321, in setProperties
  Module Products.remember.content.member, line 572, in update
  Module Products.remember.Extensions.workflow, line 23, in 
triggerAutomaticTransitions
  Module Products.CMFCore.ActionProviderBase, line 92, in listActionInfos
  Module Products.CMFPlone.PloneBaseTool, line 148, in _getExprContext
  Module Products.CMFPlone.PloneBaseTool, line 127, in getExprContext
  Module Products.CMFPlone.PloneBaseTool, line 79, in createExprContext
  Module OFS.Traversable, line 301, in restrictedTraverse
  Module OFS.Traversable, line 195, in unrestrictedTraverse
   - __traceback_info__: ([], '@@plone_portal_state')
  Module AccessControl.ImplPython, line 563, in validate
  Module AccessControl.ImplPython, line 461, in validate
  Module AccessControl.ImplPython, line 808, in raiseVerbose
Unauthorized: Your user account does not have the required permission.  
Access to '@@plone_portal_state' of (AANAMember at 
/test/main/portal_memberdata/dirk used for /test/main/acl_users) denied. 
Your user account, Anonymous User, exists at /acl_users. Access requires 
one of the following roles: ['Manager', 'Owner']. Your roles in this 
context are ['Anonymous'].

Playing with one of the users and enabling the 'View' permission for 
'Anonymous' allowed that specific user to set their password, but also 
made their profile visible.

What do I need to do to make this work?


--
Archive: 
http://www.openplans.org/projects/remember/lists/remember/archive/2008/05/1210186811727 

To unsubscribe send an email with subject unsubscribe to 
[EMAIL PROTECTED]  Please contact 
[EMAIL PROTECTED] for questions.




--
Archive: 
http://www.openplans.org/projects/remember/lists/remember/archive/2008/05/1210628125465
To unsubscribe send an email with subject unsubscribe to [EMAIL PROTECTED]  
Please contact [EMAIL PROTECTED] for questions.