Re: [Zope] Deleting objects from an external method
Nikko Wolf wrote at 2005-10-17 16:21 -0600: > ... > File "/usr/local/zinstance/Products/CMFPlone/PloneFolder.py", line >306, in manage_delObjects >raise Unauthorized, ( >Unauthorized: Do not have permissions to remove this object This obviously is the Plone implementation of "manage_delObjects" -- and it apparently performs an explicit check (unlike Zope's "manage_delObjects"). You should ask Plone related questions on the Plone (and not the Zope) mailing list. Things can be quite different in Plone land (as e.g. for "manage_delObjects"). -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Nikko Wolf wrote: That was my expectation too, but alas -- it does not work for me. Have you specifically tried this? Yes, many times... Set up: - Plone Site with "Delete objects" permission granted only to Manager (not inheriting privs) - (Plone) Folder "abc" with an object "xyz" under the Plone Site (inheriting privs) Well, you're using Plone, so you're on your own. It or CMF may do some other funky permissions checks on delete which are screwing you up... Browser shows: Insufficient Privileges You do not have sufficient privileges to view this page. If you believe you are receiving this message in error, please send an e-mail to" File "/usr/local/zinstance/Products/CMFPlone/PloneFolder.py", line 306, in manage_delObjects raise Unauthorized, ( Unauthorized: Do not have permissions to remove this object You should install VerboseSecurity if using Zope 2.7 or enable in in zope.conf if using Zope 2.8, it will tell you more... But, look at that traceback, it's coming from PloneFolder.py (suprise, suprise) so you'll have to go there and find out what funky nastiness is lurking ;-) cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Chris Withers wrote: Nikko Wolf wrote: I'm trying to allow users to delete objects that have been accidentally created. I have criteria for what that means, but since I *DO NOT* want them to delete object except by this method, I want to avoid granting "Delete objects" to them (non-Managers). Have the "delete process" done in a python script or external method. Only give "view" permission to that method to people who you want to be able to delete objects. If it's a python script, give it a Proxy role that has the "Delete objects" permission mapped, and you'll be fine :-) That was my expectation too, but alas -- it does not work for me. Have you specifically tried this? Set up: - Plone Site with "Delete objects" permission granted only to Manager (not inheriting privs) - (Plone) Folder "abc" with an object "xyz" under the Plone Site (inheriting privs) - The following "Script (Python)" named "nuke" and with "Manager" proxy role. - Non Manager user - Load URL: {plone-root}/abc/xyz/nuke Browser shows: Insufficient Privileges You do not have sufficient privileges to view this page. If you believe you are receiving this message in error, please send an e-mail to" The events.log shows: 2005-10-17T16:16:34 ERROR(200) SiteError http://localhost:8080/PloneRoot/abc/xyz/nuke Traceback (most recent call last): File "/usr/local/zope/lib/python/ZPublisher/Publish.py", line 101, in publish request, bind=1) File "/usr/local/zope/lib/python/ZPublisher/mapply.py", line 88, in mapply if debug is not None: return debug(object,args,context) File "/usr/local/zope/lib/python/ZPublisher/Publish.py", line 39, in call_object result=apply(object,args) # Type s to step into published object. File "/usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py", line 306, in __call__ return self._bindAndExec(args, kw, None) File "/usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py", line 343, in _bindAndExec return self._exec(bound_data, args, kw) File "/usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py", line 324, in _exec result = f(*args, **kw) File "Script (Python)", line 16, in mlt File "/usr/local/zinstance/Products/CMFPlone/PloneFolder.py", line 306, in manage_delObjects raise Unauthorized, ( Unauthorized: Do not have permissions to remove this object The script is: ## Script (Python) "nuke" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters= ##title=My Test Script ## from Products.PythonScripts.standard import html_quote objid = context.getId() folder = context.aq_inner.aq_parent mylog = folder.plone_log # ## DELETION CRITERIA CHECKS OMITTED # So, now we delete it... member = context.portal_membership.getAuthenticatedMember() mylog( "%s deletes (%s) from (%s)" %\ (member.id, context.absolute_url(), folder.absolute_url())) resp = folder.manage_delObjects( [objid] ) mylog( "folder.{%s}.manage_delObjects(['%s'] = {%s}\nCTX=%s" % (folder.absolute_url(), objid, folder.dumpIt( resp ), folder.absolute_url())) mylog( "Remaining: " + str(folder.objectIds()) ) # Set 'text' for the portal_status_message text = "No exceptions deleting '%s'" % objid if objid in folder.objectIds(): text += " / ID is still there" else: text += " / ID is gone" if context in folder.objectValues(): text += " / OBJECT is still there" else: text += " / OBJECT is gone" context.REQUEST.RESPONSE.redirect( folder.absolute_url() + '?portal_status_message=' + html_quote(text)) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Dieter Maurer wrote: Nikko Wolf wrote at 2005-10-14 15:37 -0600: I'm trying to allow users to delete objects that have been accidentally created. I have criteria for what that means, but since I *DO NOT* want them to delete object except by this method, I want to avoid granting "Delete objects" to them (non-Managers). Can this even be done? At the base level, "Delete objects" is a hard-coded requirement of the ObjectManager.manage_delObjects() function. Usually, an "External Method" is not restricted by Zope's security. Unless "manage_delObjects" does not perform an additional internal check (I think, it does not), your "External Method" can use it to delete objects. My question stemmed from the fact that (for reasons I cannot not duplicate), I was repeatedly getting Unauthorized exceptions using the manage_delObjects() function. Thus, I moved the functionality into an External Method, intending to avoid the restrictions. But even there, throughout changes too numerous to remember now, the Unauthorized problem persisted. Then, after snooping around I found code in zope/lib/python/OFS/ObjectManager.py that set __ac_permissions__ with an entry: ('Delete objects', ('manage_delObjects',)) ... hence my thought was that the ObjectManager class had the requirement builtin at the source code level. Even trying new security context (created from within the External Method) did not work. After many hours of effort and debugging, I find that it works in a "Script (Python)" with precisely the same code that I (thought I) used originally. Obviously, something is different, but unless it was a subtle typo that compiled correctly and worked (but not as desired) I cannot fathom what has changed. BTW: Often, it is more faster simply to try something than to post a question to the mailing list and wait for the answer. Your question above is such a case ... Indeed, I know that well. I *had* tried a multitude of variations before sending; and I'd originally included details in the first posting, but deleted it before I sent it since the question seemed to stand on its own. Thanks anyway, Nikko ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Nikko Wolf wrote: I'm trying to allow users to delete objects that have been accidentally created. I have criteria for what that means, but since I *DO NOT* want them to delete object except by this method, I want to avoid granting "Delete objects" to them (non-Managers). Have the "delete process" done in a python script or external method. Only give "view" permission to that method to people who you want to be able to delete objects. If it's a python script, give it a Proxy role that has the "Delete objects" permission mapped, and you'll be fine :-) cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Nikko Wolf wrote at 2005-10-14 15:37 -0600: >I'm trying to allow users to delete objects that have been accidentally >created. I have criteria for what that means, but since I *DO NOT* want >them to delete object except by this method, I want to avoid granting >"Delete objects" to them (non-Managers). > >Can this even be done? At the base level, "Delete objects" is a >hard-coded requirement of the ObjectManager.manage_delObjects() function. Usually, an "External Method" is not restricted by Zope's security. Unless "manage_delObjects" does not perform an additional internal check (I think, it does not), your "External Method" can use it to delete objects. BTW: Often, it is more faster simply to try something than to post a question to the mailing list and wait for the answer. Your question above is such a case ... -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Deleting objects from an external method
I'm trying to allow users to delete objects that have been accidentally created. I have criteria for what that means, but since I *DO NOT* want them to delete object except by this method, I want to avoid granting "Delete objects" to them (non-Managers). Can this even be done? At the base level, "Delete objects" is a hard-coded requirement of the ObjectManager.manage_delObjects() function. One solution that I considered is to create a new role with the privilege, then within my ExternalMethod: - grant the role to the user for the folder, - delete the object, - remove the role for that user for the folder But this seems overly tedious, and a problem if the script terminates before removing the role. Similarly, it could use the Manager role in the same scenario, but this seems dangerous. Any insights appreciated, Nikko PS: This seems on-topic, but using the code shown did not seem to have any effect: http://mail.zope.org/pipermail/zope/2003-October/142887.html ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] deleting objects
> > I created a dtml method named "dev_header" in my site root. In another > folder further down my tree I created another "dev_header" with different > info. I then deleted the second "dev_header" (/news/dev_header) expecting > my pages to then grab the "dev_header" from the root directory, but they > don't. Why? > May be your browser cache is playing tricks on you cb ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] deleting objects
Sorry if this one is obvious. I created a dtml method named "dev_header" in my site root. In another folder further down my tree I created another "dev_header" with different info. I then deleted the second "dev_header" (/news/dev_header) expecting my pages to then grab the "dev_header" from the root directory, but they don't. Why? Jamey ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )