Re: [Zope] user account defined outside context of object being accessed
- Original Message - From: Dieter Maurer [EMAIL PROTECTED] To: Kees de Brabander [EMAIL PROTECTED] Cc: zope@zope.org Sent: Thursday, December 15, 2005 5:54 PM Subject: Re: [Zope] user account defined outside context of object being accessed Kees de Brabander wrote at 2005-12-13 22:40 +0100: ... Module AccessControl.ImplPython, line 449, in validate Module AccessControl.ImplPython, line 774, in raiseVerbose Unauthorized: Your user account is defined outside the context of the object being accessed. Access to 'f1_index' of (Folder at /f1), acquired through (Folder at /f1/f11/f111), denied. Your user account, user1, exists at /f1/f11/acl_users. Access requires one of the following roles: ['Authenticated', 'Manager', 'Owner', 'student']. A user defined in /f1/f11/acl_users tries to access the protected /f1/f1_index. This is not allowed by Zope security system: a user defined in a user folder can only access protected objects governed by this user folder. In your case, all objects at or below /f1/f11 is governed by your user folder (/f1/f11/acl_users). /f1/f1_index does not lie within this hierarchy and is therefore not governed. I am painfully aware now that this is the case, at least starting from zope 2.7.8. I have not tested all versions of zope, but at least up to 2.7.3 zope had no problem with such a set up. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] user account defined outside context of object being accessed
Kees de Brabander wrote at 2005-12-13 22:40 +0100: ... Module AccessControl.ImplPython, line 449, in validate Module AccessControl.ImplPython, line 774, in raiseVerbose Unauthorized: Your user account is defined outside the context of the object being accessed. Access to 'f1_index' of (Folder at /f1), acquired through (Folder at /f1/f11/f111), denied. Your user account, user1, exists at /f1/f11/acl_users. Access requires one of the following roles: ['Authenticated', 'Manager', 'Owner', 'student']. A user defined in /f1/f11/acl_users tries to access the protected /f1/f1_index. This is not allowed by Zope security system: a user defined in a user folder can only access protected objects governed by this user folder. In your case, all objects at or below /f1/f11 is governed by your user folder (/f1/f11/acl_users). /f1/f1_index does not lie within this hierarchy and is therefore not governed. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] user account defined outside context of object being accessed
- Original Message - From: Chris Withers [EMAIL PROTECTED] To: Kees de Brabander [EMAIL PROTECTED] Cc: zope@zope.org Sent: Thursday, December 15, 2005 4:24 PM Subject: Re: [Zope] user account defined outside context of object being accessed Kees de Brabander wrote: Unauthorized: Your user account is defined outside the context of the object being accessed. Access to 'f1_index' of (Folder at /f1), acquired through (Folder at /f1/f11/f111), denied. Your user account, user1, exists at /f1/f11/acl_users. Access requires one of the following roles: ['Authenticated', 'Manager', 'Owner', 'student']. Looks like you were inadvertantly taking advantage of a security hole in Zope that got plugged. That said, your example was extremely complicated. Well, that's life ;) Can you come up with as simple an example as possible so that we can maybe help you out? I can't make the example more simple than I did. I guess it boils down to the fact that a user defined in a user folder somewhere farther down along a path cannot acquire objects higher up that path when the acquisition of the view permission of that object or its container is disabled and the view permission granted again to specific roles. This was possible up to zope version 2.7.3, but not anymore from 2.7.8. Somewhere in between this was changed, but I could not find an explicit reference. I used this construction a lot of times, so I have to restructure several applications. I guess that's life as well. Thanks anyway, cb ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] user account defined outside context of object being accessed
I am in the process of upgrading from zope 2.5.1 (yes very old) I used to use the following set up. Prototypically I had the following chain of folders and methods: f1 (folder) f1_index (dtmlmethod) f11 (folder) acl_users (user folder) f111 folder index_html (calling f1_index) I used f1 to place methods and scripts to be acquired by methods in f111. At the level of f1 I defined local roles, disabled the acquisition of the view permission and added that permission on the same level again to existing roles including the local roles except Anonymous. F11 contained a user folder populated with accounts with with local roles defined in f1. The url www.domain.nl/f1/f11/f111 would render the content of f1_index after logging in with an account from acl_users in f11 (basic authentication), that is at least up to zope 2.7.3. At least from 2.7.8. on this very same user is not allowed to access f1_index anymore. I could solve the problem by moving the user folder from f11 to f1, but actually I have also f12, f13, f14, and so on, each with its distinct group of users. The setup described enabled me to remove folders at the second level when they are not needed any more including the whole group of users involved. Furthermore, though the second level folders share a group of methods, some were also specific for specific groups. Another option would be to disable the acquisition of the view permission not on the f1 level, but on the f11 level. However, in that case the url www.domain.nl/f1 would acquire the index_html from the root folder in stead of disallowing access. Apparently I have to change my habits. But how do I come near to my use case? The error message is most verbose in 2.8.4 and reads: Traceback (innermost last): Module ZPublisher.Publish, line 113, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 40, in call_object Module OFS.DTMLMethod, line 144, in __call__ - DTMLMethod at /f1/f11/f111/index_html - URL: http://localhost:8080/f1/f11/f111/index_html/manage_main - Physical Path: /f1/f11/f111/index_html Module DocumentTemplate.DT_String, line 476, in __call__ Module AccessControl.ImplPython, line 184, in guarded_getattr Module AccessControl.ImplPython, line 693, in guarded_getattr Module AccessControl.ImplPython, line 635, in aq_validate Module AccessControl.ImplPython, line 529, in validate Module AccessControl.ImplPython, line 449, in validate Module AccessControl.ImplPython, line 774, in raiseVerbose Unauthorized: Your user account is defined outside the context of the object being accessed. Access to 'f1_index' of (Folder at /f1), acquired through (Folder at /f1/f11/f111), denied. Your user account, user1, exists at /f1/f11/acl_users. Access requires one of the following roles: ['Authenticated', 'Manager', 'Owner', 'student']. f1.zexp Description: Binary data ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )