Re: [Zope] zope 2.7: Unauthorized in this context
Dieter == Dieter Maurer [EMAIL PROTECTED] writes: Dieter John Hunter wrote at 2005-6-7 09:52 -0500: ... Traceback (innermost last): ... URL: http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_addForm/manage_main Physical Path:/srp/2005/Sections/B1/Amrita Arora/ProjectSubmission_addForm * Module DocumentTemplate.DT_String, line 474, in __call__ * Module DocumentTemplate.DT_With, line 76, in render Unauthorized: You are not allowed to access 'mentor' in this context Dieter The VerboseSecurity product may give you more detailed Dieter information. Hi Dieter, I installed VerboseSecurity and now get a more helpful error message in the log (to refresh your memory, this is a pure ZClass based product which stopped working on an upgrade to 2.7). Here is the updated message Exception TypeUnauthorized Exception Value The container has no security assertions. Access to 'mentor' of (FactoryDispatcher instance at 40aeafb0) denied. I googled this error message and found this thread, http://www.gossamer-threads.com/lists/zope/users/176379. You responded to the OP Unauthorized: The container has no security assertions. Access to 'title_or_id' of (FactoryDispatcher instance at e68510) denied. (Also, an error occurred while attempting to render the standard error message.) This is very strange: It is true that a FactoryDispatcher (App.FactoryDispatcher.FactoryDispatcher) does not have security assertions. But usually, it does not have a title_or_id either. Therefore, it should not be relevant with respect to title_or_id access that it lacks security assertions. Maybe, it is a bug introduced with the security tighening introduced in Zope 2.7.3 (there was some discussion about such a bug in the mailing list (zope-dev, I think)). You can try to add a __role__ = None and maybe a __allow_access_to_unprotected_subobjects__ = 1 to the FactoryDispatcher class (-- App/FactoryDispatcher.py) to see whether the problem disappears. These two attributes will provide security assertions for the factory. Your header/manage_main DTML Method seems a bit strange, too. Why does it use a dtml-in and in it a dtml-with and in it access to title_or_id. This is somewhat unexpected in the add form of a ZClass. But there was no followup. Before I start hacking App/FactoryDispatcher.py, I wanted to check in here and see if there was a resolution to this problem, if this is a known bug with a fix, etc. Thanks! JDH ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope 2.7: Unauthorized in this context
John == John Hunter [EMAIL PROTECTED] writes: John I installed VerboseSecurity and now get a more helpful error John message in the log (to refresh your memory, this is a pure John ZClass based product which stopped working on an upgrade to John 2.7). Here is the updated message John Exception Type Unauthorized John Exception Value The container has no security John assertions. Access to 'mentor' of (FactoryDispatcher John instance at 40aeafb0) denied. OK, for the records, the following patch suggested by Dieter did in fact fix this problem. Thanks Dieter! render:/usr/share/zope2.7/lib/python/App diff -c FactoryDispatcher.py FactoryDispatcher.py.bak *** FactoryDispatcher.py2005-06-15 10:01:07.0 -0500 --- FactoryDispatcher.py.bak2005-06-15 09:59:47.0 -0500 *** *** 42,49 _owner=UnownableOwner ! __allow_access_to_unprotected_subobjects__=1 ! __role__ = None def __init__(self, product, dest, REQUEST=None): if hasattr(product,'aq_base'): product=product.aq_base self._product=product --- 42,48 _owner=UnownableOwner ! def __init__(self, product, dest, REQUEST=None): if hasattr(product,'aq_base'): product=product.aq_base self._product=product ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope 2.7: Unauthorized in this context
Dieter == Dieter Maurer [EMAIL PROTECTED] writes: Dieter Note that this is only a hack! Dieter All objects in the FactoryDispatcher should provide Dieter their own security declarations. Then, they would not Dieter depend on that of the container. Dieter Thus, the primary problem is that mentor magically Dieter does not have a __roles__ attribute or (maybe) that it Dieter was never expected to be accessed via the Dieter FactoryDispatcher. My classes are all defined through the old ZClass mechanism and I don't see any way to fix the problem on my end. I've added these security assertions and roles when writing pure python products, but do not know how to do it with ZClasses (is it possible?) Is this a bug in my ZClasses or a zope bug? Thanks! JDH Dieter -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] zope 2.7: Unauthorized in this context
I recently upgraded my zope server to 2.7 and a product I wrote which
makes heavy use of Z-Classes is now broken. This is a workflow site
for a course, and there are Course, Section, Student,
ProjectSubmission, etc as ZClasses. To view the page at all students
undergo basic authentication. When students want to submit some
homework (the have the Add Project Submissions Class Permission)
they click on a link like the following for the ProjectSubmission add
form
http://myserver.com/Sections/S1/J%20Hunter/manage_addProduct/Course/ProjectSubmission_addForm?project_id=A%20Projstudent_id=J%20Hunter
Where J Hunter is the Student, S1 is the Section and A Proj is
the ProjectSubmission. This was working fine until the upgrade, the
link took them to the ProjectSubmission_addForm and they could add
their submission. After the upgrade, now they get another
authentication dialog box and after reentering their username and
password, they get the dialog box again, and then if they hit cancel
they get (verbose info below)
Traceback (innermost last):
* Module ZPublisher.Publish, line 101, in publish
* Module ZPublisher.mapply, line 88, in mapply
* Module ZPublisher.Publish, line 39, in call_object
* Module OFS.DTMLMethod, line 130, in __call__
DTMLMethod instance at 4128fef0
URL:
http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_addForm/manage_main
Physical Path:/srp/2005/Sections/B1/Amrita Arora/ProjectSubmission_addForm
* Module DocumentTemplate.DT_String, line 474, in __call__
* Module DocumentTemplate.DT_With, line 76, in render
Unauthorized: You are not allowed to access 'mentor' in this context
mentor is a field in the StudentPropertySheet.
Interestingly, the same result occurs even if I enter a manager or
site-root username/password in the authentication dialog box.
I googled for the error message and found
http://mail.zope.org/pipermail/zope-dev/2004-January/021501.html
Based on my read of this, I tried adding the Manager proxy role to
ProjectSubmission_addForm but this did not help.
Any ideas? The add form and the verbose traceback are included below.
As I say, all was working fine until a server upgrade so I suspect
there is a recent zope feature that I am not handling properly.
Thanks,
JDH
Here is DTML Method ProjectSubmission_addForm
dtml-comment -*- mode: dtml; dtml-top-element: body -*- /dtml-comment
dtml-var standard_html_header
dtml-with site_params_py mapping
form action=ProjectSubmission_add_py
method=post enctype=multipart/form-data
table dtml-var form_table_params
dtml-var form_table_header_dtml(_.None, _,
caption='Enter project submission information', num_columns=2)
dtml-comment
tr
th dtml-var form_table_thEmail/th
tdinput size=50 name=email value=dtml-var email/td
/tr
/dtml-comment
tr
th dtml-var form_table_thMentor/th
tdinput size=50 name=mentor value=dtml-var mentor/td
/tr
tr
th dtml-var form_table_thMentor email/th
tdinput size=50 name=mentor_email value=dtml-var
mentor_email/td
/tr
tr
th dtml-var form_table_thFile/th
tdinput size=60 type=file name=file_data/td
/tr
tr
th dtml-var form_table_thTitle:/th
tdTEXTAREA WRAP=virtual NAME=submission_title
ROWS=2 COLS=80 tabindex=1/TEXTAREA/td
/tr
tr
th dtml-var form_table_thSynopsis:/th
tdTEXTAREA WRAP=virtual NAME=description
ROWS=10 COLS=80 tabindex=1/TEXTAREA/td
/tr
tr
th colspan=2 align=center
input type=submit value=Upload Submission/th
/tr
dtml-comment
Note:hidden must come last, right before the /form tag
/dtml-comment
input type=hidden value=dtml-var project_id
name=project_id
input type=hidden value=dtml-var student_id
name=student_id
input type=hidden value=dtml-var REQUEST.get('REMOTE_ADDR')
name=remote_address
/form
/table
brbr
/dtml-with
brbr
dtml-var standard_html_footer
Time2005/06/07 09:54:55 GMT-5
User Name (User Id) student (student)
Request URL
http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/manage_addProduct/Course/ProjectSubmission_addForm
Exception Type Unauthorized
Exception Value You are not allowed to access 'mentor' in this context
Traceback (innermost last):
* Module ZPublisher.Publish, line 101, in publish
* Module ZPublisher.mapply, line 88, in mapply
* Module ZPublisher.Publish, line 39, in call_object
* Module OFS.DTMLMethod, line 130, in __call__
DTMLMethod instance at 411fb740
URL:
http://bace.bsd.uchicago.edu/srp/jdh/Sections/S1/J%20Hunter/ProjectSubmission_addForm/manage_main
Physical Path:/srp/jdh/Sections/S1/J
