RE: [Zope] Strange behaviour on authorization
On Mon, 21 Aug 2000, Casey Duncan wrote: > The fact that your external method returns a class instance explains why it > fails where it does instead of in the dtml-let statement. It looks as though > Zope is allowing the object to be returned, but balking when you try to > access it. I think I will need to see exactly what your external method and > the returned object are doing before I can try explaining this behavior. In 2.2 the security model is tightened. To use returned objects of your special-purpose classes from dtml, you have to tell Zope that it is OK to do so. Check out Brian's new-security-model guide at http://www.zope.org/Documentation/How-To/ProductAuthorUpdateGuide (I think he also has newer stuff in the security chapter of the book but I haven't looked at it yet). I think what you want to do is add __allow_access_to_unprotected_subobjects__=1 as a class variable to the class in your external method. But read the guide so you understand the security consquences of doing that. --RDM ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Strange behaviour on authorization
The fact that your external method returns a class instance explains why it fails where it does instead of in the dtml-let statement. It looks as though Zope is allowing the object to be returned, but balking when you try to access it. I think I will need to see exactly what your external method and the returned object are doing before I can try explaining this behavior. -Casey Duncan -Original Message- From: Jarkko Veijalainen [mailto:[EMAIL PROTECTED]] Sent: Monday, August 21, 2000 1:17 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: [Zope] Strange behaviour on authorization now, i have defined same owner to every document in that folder, but it did'nt help me. I cranked litle bit my pages and discovered little more where is the problem. Problem isn't POSTING data, it's the return value that Zope doesn't want to publish. User Problem tag is that that causes following traceback, when i remove this tag. Traceback bugs me about Unauthorized: account, which is 2nd value from external methods returned object resDTML. So problem is publishing contest of resDTML called in -tags. This don't make any sense if i have to validate every return value from external method, it's just unacceptable. In external method, i have simple class and instance of that class is return value of method. I repeat this again, ALL THIS THINGS DID work with Zope 2.1.6. How can i fix this? Traceback (innermost last): File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 222, in publish_module File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 187, in publish File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/Zope-2.2.0/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLDocument.py, line 171, in __call__ (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Let.py, line 147, in render (Object: resDTML="Imap('Authentication',REQUEST,1)") File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line 337, in eval (Object: resDTML.cn) (Info: resDTML) File , line 0, in ? File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line 142, in careful_getattr File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLMethod.py, line 194, in validate (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/AccessControl/SecurityManager.py, line 139, in validate File /usr/local/Zope-2.2.0/lib/python/AccessControl/ZopeSecurityPolicy.py, line 159, in validate Unauthorized: cn jarkkov > try so POST data to email_headers with login form, popups Authorization > failed window. I have tried to use my manager and superuser name and same > values that i submitted, but nothing is accepted to auth. window. ... > so i have authenticated user and i still can't login. All these documents > work like they're supposed to in Zope 2.1.6, but not anymore when i > installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate > 'cn', which is value that i submit to another document. > > What went wrong here and how i fix this problem? Aha, it worked in 2.1.6 eh? That's the tip off. A *major* change between 2.1.x and 2.2.x is in the security dept. 2.2.x runs all methods using the security level of the _owner_ of the method, regardless of whether this is a lower or higher level than the currently authenticated user. My guess is that your method has no owner (which is what pre-2.2.x objects default to when run under 2.2.x). This means it is running as anonymous which does not have rights to do what you want. Specify an owner for the method that has sufficient rights to do what you want and try it again. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Strange behaviour on authorization
now, i have defined same owner to every document in that folder, but it did'nt help me. I cranked litle bit my pages and discovered little more where is the problem. Problem isn't POSTING data, it's the return value that Zope doesn't want to publish. User Problem tag is that that causes following traceback, when i remove this tag. Traceback bugs me about Unauthorized: account, which is 2nd value from external methods returned object resDTML. So problem is publishing contest of resDTML called in -tags. This don't make any sense if i have to validate every return value from external method, it's just unacceptable. In external method, i have simple class and instance of that class is return value of method. I repeat this again, ALL THIS THINGS DID work with Zope 2.1.6. How can i fix this? Traceback (innermost last): File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 222, in publish_module File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 187, in publish File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/Zope-2.2.0/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLDocument.py, line 171, in __call__ (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Let.py, line 147, in render (Object: resDTML="Imap('Authentication',REQUEST,1)") File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line 337, in eval (Object: resDTML.cn) (Info: resDTML) File , line 0, in ? File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line 142, in careful_getattr File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLMethod.py, line 194, in validate (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/AccessControl/SecurityManager.py, line 139, in validate File /usr/local/Zope-2.2.0/lib/python/AccessControl/ZopeSecurityPolicy.py, line 159, in validate Unauthorized: cn jarkkov > try so POST data to email_headers with login form, popups Authorization > failed window. I have tried to use my manager and superuser name and same > values that i submitted, but nothing is accepted to auth. window. ... > so i have authenticated user and i still can't login. All these documents > work like they're supposed to in Zope 2.1.6, but not anymore when i > installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate > 'cn', which is value that i submit to another document. > > What went wrong here and how i fix this problem? Aha, it worked in 2.1.6 eh? That's the tip off. A *major* change between 2.1.x and 2.2.x is in the security dept. 2.2.x runs all methods using the security level of the _owner_ of the method, regardless of whether this is a lower or higher level than the currently authenticated user. My guess is that your method has no owner (which is what pre-2.2.x objects default to when run under 2.2.x). This means it is running as anonymous which does not have rights to do what you want. Specify an owner for the method that has sufficient rights to do what you want and try it again. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Strange behaviour on authorization
Jarkko Veijalainen wrote: > i have been trying to figure this out and get help to this almost one > week... ... > Zope loads login form with no problem (it's basicly static page) but when i > try so POST data to email_headers with login form, popups Authorization > failed window. I have tried to use my manager and superuser name and same > values that i submitted, but nothing is accepted to auth. window. ... > so i have authenticated user and i still can't login. All these documents > work like they're supposed to in Zope 2.1.6, but not anymore when i > installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate > 'cn', which is value that i submit to another document. > > What went wrong here and how i fix this problem? Aha, it worked in 2.1.6 eh? That's the tip off. A *major* change between 2.1.x and 2.2.x is in the security dept. 2.2.x runs all methods using the security level of the _owner_ of the method, regardless of whether this is a lower or higher level than the currently authenticated user. My guess is that your method has no owner (which is what pre-2.2.x objects default to when run under 2.2.x). This means it is running as anonymous which does not have rights to do what you want. Specify an owner for the method that has sufficient rights to do what you want and try it again. Good luck, -Casey Duncan ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Strange behaviour on authorization
i have been trying to figure this out and get help to this almost one week... i have login form called login: Username or ID Password email_accounts is a DTML document: User Check? Account New messages Total messages Check selected mailboxes: Zope loads login form with no problem (it's basicly static page) but when i try so POST data to email_headers with login form, popups Authorization failed window. I have tried to use my manager and superuser name and same values that i submitted, but nothing is accepted to auth. window. here's the traceback: Zope Error Zope has encountered an error while publishing this resource. Unauthorized Sorry, a Zope error occurred. Traceback (innermost last): File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 222, in publish_module File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 187, in publish File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/Zope-2.2.0/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLDocument.py, line 171, in __call__ (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Let.py, line 147, in render (Object: resDTML="Imap('Authentication',REQUEST,1)") File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line 337, in eval (Object: resDTML.cn) (Info: resDTML) File , line 0, in ? File /usr/local/Zope-2.2.0/lib/python/DocumentTemplate/DT_Util.py, line 142, in careful_getattr File /usr/local/Zope-2.2.0/lib/python/OFS/DTMLMethod.py, line 194, in validate (Object: email_accounts) File /usr/local/Zope-2.2.0/lib/python/AccessControl/SecurityManager.py, line 139, in validate File /usr/local/Zope-2.2.0/lib/python/AccessControl/ZopeSecurityPolicy.py, line 159, in validate Unauthorized: cn by the way resDTML="Imap('Authentication',REQUEST,1) is on External method called on email_headers document. I cathed REQUEST from login form and it shows: request form password 1234 cn 66 AUTHENTICATION_PATH proto_test password 1234 dtpref_rows 20 tree-s eJzTiFZ3hANPW/VYHU0ALlYElA AUTHENTICATED_USER jarkkov so i have authenticated user and i still can't login. All these documents work like they're supposed to in Zope 2.1.6, but not anymore when i installed Zope 2.2.0 on Solaris. Why is Zopesecurity trying to validate 'cn', which is value that i submit to another document. What went wrong here and how i fix this problem? jarkkov ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )