RE: [Zope] Strange behaviour on authorization
On Mon, 21 Aug 2000, Casey Duncan wrote: > The fact that your external method returns a class instance explains why it > fails where it does instead of in the dtml-let statement. It looks as though > Zope is allowing the object to be returned, but balking when you try to > access it. I think I will need to see exactly what your external method and > the returned object are doing before I can try explaining this behavior. In 2.2 the security model is tightened. To use returned objects of your special-purpose classes from dtml, you have to tell Zope that it is OK to do so. Check out Brian's new-security-model guide at http://www.zope.org/Documentation/How-To/ProductAuthorUpdateGuide (I think he also has newer stuff in the security chapter of the book but I haven't looked at it yet). I think what you want to do is add __allow_access_to_unprotected_subobjects__=1 as a class variable to the class in your external method. But read the guide so you understand the security consquences of doing that. --RDM ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Strange behaviour on authorization
The fact that your external method returns a class instance explains why it
fails where it does instead of in the dtml-let statement. It looks as though
Zope is allowing the object to be returned, but balking when you try to
access it. I think I will need to see exactly what your external method and
the returned object are doing before I can try explaining this behavior.
-Casey Duncan
-Original Message-
From: Jarkko Veijalainen [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 21, 2000 1:17 AM
To: '[EMAIL PROTECTED]'
Cc: '[EMAIL PROTECTED]'
Subject: RE: [Zope] Strange behaviour on authorization
now, i have defined same owner to every document in that folder, but it
did'nt help me.
I cranked litle bit my pages and discovered little more where is the
problem. Problem isn't POSTING data, it's the return value that Zope doesn't
want to publish.
User
Problem tag is that that causes following traceback,
when i remove this tag. Traceback bugs me about Unauthorized: account, which
is 2nd value from external methods returned object resDTML.
So problem is publishing contest of resDTML called in -tags. This
don't make any sense if i have to validate every return value from external
method, it's just unacceptable. In external method, i have simple class and
instance of that class is return value of method. I repeat this again, ALL
THIS THINGS DID work with Zope 2.1.6. How can i fix this?
Traceback (innermost last):
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 222,
in publish_module
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 187,
in publish
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 171,
in publish
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/mapply.py, line 160, in
mapply
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 112,
in call_object
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLDocument.py, line 171, in
__call__
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_String.py,
line 502, in __call__
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Let.py, line
147, in render
(Object: resDTML="Imap('Authentication',REQUEST,1)")
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
337, in eval
(Object: resDTML.cn)
(Info: resDTML)
File , line 0, in ?
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
142, in careful_getattr
File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLMethod.py, line 194, in
validate
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/AccessControl/SecurityManager.py,
line 139, in validate
File
/usr/local/Zope-2.2.0/lib/python/AccessControl/ZopeSecurityPolicy.py, line
159, in validate
Unauthorized: cn
jarkkov
> try so POST data to email_headers with login form, popups Authorization
> failed window. I have tried to use my manager and superuser name and same
> values that i submitted, but nothing is accepted to auth. window.
...
> so i have authenticated user and i still can't login. All these documents
> work like they're supposed to in Zope 2.1.6, but not anymore when i
> installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate
> 'cn', which is value that i submit to another document.
>
> What went wrong here and how i fix this problem?
Aha, it worked in 2.1.6 eh? That's the tip off. A *major* change between
2.1.x and 2.2.x is in the security dept. 2.2.x runs all methods using the
security level of the _owner_ of the method, regardless of whether this is a
lower or higher level than the currently authenticated user. My guess is
that your method has no owner (which is what pre-2.2.x objects default to
when run under 2.2.x). This means it is running as anonymous which does not
have rights to do what you want. Specify an owner for the method that has
sufficient rights to do what you want and try it again.
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Strange behaviour on authorization
now, i have defined same owner to every document in that folder, but it
did'nt help me.
I cranked litle bit my pages and discovered little more where is the
problem. Problem isn't POSTING data, it's the return value that Zope doesn't
want to publish.
User
Problem tag is that that causes following traceback,
when i remove this tag. Traceback bugs me about Unauthorized: account, which
is 2nd value from external methods returned object resDTML.
So problem is publishing contest of resDTML called in -tags. This
don't make any sense if i have to validate every return value from external
method, it's just unacceptable. In external method, i have simple class and
instance of that class is return value of method. I repeat this again, ALL
THIS THINGS DID work with Zope 2.1.6. How can i fix this?
Traceback (innermost last):
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 222,
in publish_module
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 187,
in publish
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 171,
in publish
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/mapply.py, line 160, in
mapply
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 112,
in call_object
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLDocument.py, line 171, in
__call__
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_String.py,
line 502, in __call__
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Let.py, line
147, in render
(Object: resDTML="Imap('Authentication',REQUEST,1)")
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
337, in eval
(Object: resDTML.cn)
(Info: resDTML)
File , line 0, in ?
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
142, in careful_getattr
File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLMethod.py, line 194, in
validate
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/AccessControl/SecurityManager.py,
line 139, in validate
File
/usr/local/Zope-2.2.0/lib/python/AccessControl/ZopeSecurityPolicy.py, line
159, in validate
Unauthorized: cn
jarkkov
> try so POST data to email_headers with login form, popups Authorization
> failed window. I have tried to use my manager and superuser name and same
> values that i submitted, but nothing is accepted to auth. window.
...
> so i have authenticated user and i still can't login. All these documents
> work like they're supposed to in Zope 2.1.6, but not anymore when i
> installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate
> 'cn', which is value that i submit to another document.
>
> What went wrong here and how i fix this problem?
Aha, it worked in 2.1.6 eh? That's the tip off. A *major* change between
2.1.x and 2.2.x is in the security dept. 2.2.x runs all methods using the
security level of the _owner_ of the method, regardless of whether this is a
lower or higher level than the currently authenticated user. My guess is
that your method has no owner (which is what pre-2.2.x objects default to
when run under 2.2.x). This means it is running as anonymous which does not
have rights to do what you want. Specify an owner for the method that has
sufficient rights to do what you want and try it again.
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Strange behaviour on authorization
Jarkko Veijalainen wrote: > i have been trying to figure this out and get help to this almost one > week... ... > Zope loads login form with no problem (it's basicly static page) but when i > try so POST data to email_headers with login form, popups Authorization > failed window. I have tried to use my manager and superuser name and same > values that i submitted, but nothing is accepted to auth. window. ... > so i have authenticated user and i still can't login. All these documents > work like they're supposed to in Zope 2.1.6, but not anymore when i > installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate > 'cn', which is value that i submit to another document. > > What went wrong here and how i fix this problem? Aha, it worked in 2.1.6 eh? That's the tip off. A *major* change between 2.1.x and 2.2.x is in the security dept. 2.2.x runs all methods using the security level of the _owner_ of the method, regardless of whether this is a lower or higher level than the currently authenticated user. My guess is that your method has no owner (which is what pre-2.2.x objects default to when run under 2.2.x). This means it is running as anonymous which does not have rights to do what you want. Specify an owner for the method that has sufficient rights to do what you want and try it again. Good luck, -Casey Duncan ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Strange behaviour on authorization
i have been trying to figure this out and get help to this almost one
week...
i have login form called login:
Username or ID
Password
email_accounts is a DTML document:
User
Check?
Account
New
messages
Total
messages
Check selected mailboxes:
Zope loads login form with no problem (it's basicly static page) but when i
try so POST data to email_headers with login form, popups Authorization
failed window. I have tried to use my manager and superuser name and same
values that i submitted, but nothing is accepted to auth. window.
here's the traceback:
Zope Error
Zope has encountered an error while publishing this resource.
Unauthorized
Sorry, a Zope error occurred.
Traceback (innermost last):
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 222,
in publish_module
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 187,
in publish
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 171,
in publish
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/mapply.py, line 160, in
mapply
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 112,
in call_object
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLDocument.py, line 171, in
__call__
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_String.py,
line 502, in __call__
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Let.py, line
147, in render
(Object: resDTML="Imap('Authentication',REQUEST,1)")
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
337, in eval
(Object: resDTML.cn)
(Info: resDTML)
File , line 0, in ?
File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line
142, in careful_getattr
File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLMethod.py, line 194, in
validate
(Object: email_accounts)
File /usr/local/Zope-2.2.0/lib/python/AccessControl/SecurityManager.py,
line 139, in validate
File
/usr/local/Zope-2.2.0/lib/python/AccessControl/ZopeSecurityPolicy.py, line
159, in validate
Unauthorized: cn
by the way
resDTML="Imap('Authentication',REQUEST,1) is on External method called on
email_headers document.
I cathed REQUEST from login form and it shows:
request
form
password
1234
cn
66
AUTHENTICATION_PATH
proto_test
password
1234
dtpref_rows
20
tree-s
eJzTiFZ3hANPW/VYHU0ALlYElA
AUTHENTICATED_USER
jarkkov
so i have authenticated user and i still can't login. All these documents
work like they're supposed to in Zope 2.1.6, but not anymore when i
installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate
'cn', which is value that i submit to another document.
What went wrong here and how i fix this problem?
jarkkov
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
