Re: [Zope-dev] fixing security problems HOW?

2000-11-28 Thread Shane Hathaway

Robin Becker wrote:
 
 How can I find out exactly what is causing my security permissioning to
 fail.
 
 I have put extra stuff into ZPublisher\BaseRequest.py at line 463 so I
 know that I'm failing on
 
 UnauthorizedYou are not authorized to access this resource.
 URL='http://192.168.0.4:7080/live/index_html' No Authorization header
 found.
 
 I am an anonymous user. Even when I make /live have the same permissions
 as the manager I can't make it work. index_html is a dtml method of the
 class of which live is an instance.
 
 How can I figure out what is blocking the anonymous access.

1) Use the -D option to start Zope in debugging mode.

2) Install ZDebug.

3) Add a user with the essential permissions and see if *that* user can
get access.

Shane

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] fixing security problems HOW?

2000-11-28 Thread Dieter Maurer

Robin Becker writes:
  How can I find out exactly what is causing my security permissioning to
  fail.
  
  I have put extra stuff into ZPublisher\BaseRequest.py at line 463 so I
  know that I'm failing on
  
  UnauthorizedYou are not authorized to access this resource.
  URL='http://192.168.0.4:7080/live/index_html' No Authorization header
  found.
  
  I am an anonymous user. Even when I make /live have the same permissions
  as the manager I can't make it work. index_html is a dtml method of the
  class of which live is an instance.
  
  How can I figure out what is blocking the anonymous access.
The URL traversal in "ZPublisher.BaseRequest.traverse"
led to a "roles" assignment with a non-"None" value.
This triggers authentication checking.
Annonymous did not have one of the necessary roles.

I would probably check, what "roles" are determined during
traversal.

Apparently, your "live" is a Z instance.
It is quite easy to forget the ZClass permission mapping
(or get it wrong). This may lead to strange permission
problems.


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] fixing security problems HOW?

2000-11-28 Thread Robin Becker

In article [EMAIL PROTECTED], Robin Becker
[EMAIL PROTECTED] writes

Apparently, your "live" is a Z instance.
It is quite easy to forget the ZClass permission mapping
(or get it wrong). This may lead to strange permission
problems.
Which ZClass permission mapping? Anonymous seems to be able to 'view'.

The 'Manager' role can log in and do stuff, but even when I change the
permissions of Anonymous to be completely the same as for Manager I
don't get the same behaviour; ie anonymous is being asked to log in?

The problem I suppose is that /live/index_html is really a permission of
/live and I guess the permissions determining access etc are really in /
the object which cannot be traversed to :) 
well I upgraded my CVS version and everything started working again.
Mumble. If only I hadn't tried to get the new Python methods to work etc
etc dribble dribble.
-- 
Robin Becker

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )