This is just a SWAG (Strategic Wild-Ass Guess), but Ty and I have been
having a problem with the search feature in Squishdot 0.7.0 that seems
possibly to be related. Our trace of the problem shows that catalog
searches from the SquishSite return objects which are wrapped with a
*different* acquisition hiearchy than the SquishSite itself or from the
User object it's trying to check roles on. Thus, *even though* the user
has the right roles, user.allowed() disallows the roles as invalid because
they're being granted from a (seemingly) different hiearchy.
What we found is that ZCatalog uses the older REQUEST.resolve_url() method
to access the "true" objects, which has this side effect. If it used the
new 2.2 traverse methods, the acquisition hierarchy would be the same. As
it stands, the objects returned by ZCatalog.getobject (by way of
SquishSite.__call__) even have different REQUEST objects than the original
REQUEST object for the web hit.
Does this sound like it's anything related to the problems you're having?
At 05:00 PM 9/1/00 +0100, Chris Withers wrote:
Brian Lloyd wrote:
Here's a quick thing to try- if 'subject' is an attribute
of your Article class, try adding:
class Article(...):
subject__roles__=None
then restart and see if you still get unauthorized...
yup, I do :-(
And besides, 'subject' is already in __ac_permissions__, as you can see:
(a lot of stuff snipped out though ;-)
__ac_permissions__ = (
('View', ['subject','getThread'], ('Anonymous', 'Manager')),
)
and I do appropriate Globals.default__class_init__'s...
Man, I really have no idea, and not even any clue where to look.
The big factor seems to be that 'subject' is a string. I had a similar
problem with the SquishFile class with the 'icon' attribute.
When it was a string:
# protected by 'View' permission
icon = 'misc_/Squishdot/squishfile_img'
..even though it was a class variable and protected in
__ac_permissions__, I was getting very similar errors to the above...
I was lucky, in that case, because it was a class variable, I could turn
it into a method:
# protected by 'View' permission
def icon(self):
return 'misc_/Squishdot/squishfile_img'
..and, lo and behold, no more security errors from there... :S
Unfortunately, the string attributes in the Article class are instance
attributes, not class attributes, so I can't do the same thing :-(
Any ideas?
cheers,
Chris
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
