Re: [Zope] Acquisition / proxying object
Joerg Baach wrote at 2008-2-25 19:45 +: ... I am trying to have a folderish object that acquires from a user object (ldapuserfolder). It should have its own properties and contents, but fall back to the ones of the ldap user. I have created an object, extending Folder, and it behaves nicely in zopectl debug. When I try to access it through e.g. a python script I get an: Error Type: Unauthorized Error Value: Unable to find __roles__ in the container and the container is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at /testfolder/ldapproxy), denied. When you access attribute x (with value xv) on object o, Zope will first check whether xv has security declarations (more precisely, a __roles__ attribute). If it has, they are used. Otherwise, Zope checks for o.x__roles__. If found, they are used. Otherwise, o.__roles__ may be examined (under some circumstances). Note that for most security declarations, o needs to be fully acquisition wrapped. Otherwise, there may be two problems: * Zope cannot find the information to map permissions to roles (as this mapping is defined on the acquisition path leading to the root) * o does is not covered by the user folder which has identified the current user. A user has only special roles on objects covered by its user folder. A object is covered by a user folder, when the object lies in the subtree rooted in the user folder's container. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Joerg Baach wrote at 2008-2-25 22:03 +: ... Error Type: Unauthorized Error Value: Your user account is defined outside the context of the object being accessed. This is a different spelling for what I called in the last message object not covered by the user folder identifying the current user. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
On Monday 25 February 2008 23:52:26 Joerg Baach wrote:
Hi *,
But somehow I have the feeling it has more to do with the 'and the
container is not wrapped' part of the message. Not that I can make sense
of it ;-)
Mmm, after even more searching, and not understanding I found
http://www.mail-archive.com/[EMAIL PROTECTED]/msg11438.html
and changed my code to:
def __of__(self, parent):
'''foo'''
if not hasattr(parent,'aq_base'):
return self
folder,id = self.remoteid.split(':')
acl = parent.unrestrictedTraverse(folder)
You're now doing no security checks on traversal, probably thats why you don't
get any Unauthorized exceptions :-)
- peter.
remote = acl.getUser(id)
return Acquisition.ImplicitAcquisitionWrapper(aq_base(self),
aq_base(remote).__of__(parent))
Now, this actually seems to work. If only I knew why
Cheers,
Joerg
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Hi Peter, acl = parent.unrestrictedTraverse(folder) when changing to acl = parent.restrictedTraverse(folder) I still don't get the Unauthorized exceptions. Anyhow, I will have to do a bit more wrapping, and then see if the solutions survive the security testing ;-) Cheers, Joerg signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
This is maybe a naive suggestion but if Zope's TTW execution (e.g.
Python Scripts) can't find a __roles__ on the object at hand doesn't
that just mean that the class wasn't initialized with any security.
class LDAPProxy(Folder):
...
from Globals import InitializeClass
InitializeClass(LDAPProxy)
That should set the *__roles__ on all it's methods.
Joerg Baach wrote:
Hi *,
I am trying to have a folderish object that acquires from a user object
(ldapuserfolder). It should have its own properties and contents, but
fall back to the ones of the ldap user.
I have created an object, extending Folder, and it behaves nicely in
zopectl debug. When I try to access it through e.g. a python script I
get an:
Error Type: Unauthorized
Error Value: Unable to find __roles__ in the container and the container
is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at
/testfolder/ldapproxy), denied.
I am sure its my lack of understanding of acquisition. I am trying to
bascially put ldap user object 'on top' of the aquisition line (with the
ldapproxy at the bottom), but obviously failing in doing so. Any ideas?
Cheers,
Joerg
8 excerpt from code ---
class LDAPProxy(Folder):
meta_type='LDAPProxy'
def __init__(self, id, remoteid,title='',REQUEST=None):
self.id = id
self.title = title
self.remoteid = remoteid
def __of__(self, parent):
if not hasattr(parent,'aq_base'):
return self
folder,id = self.remoteid.split(':')
acl = parent.restrictedTraverse(folder)
remote = acl.getUser(id)
return Folder.__of__(self,parent.__of__(remote))
--- teststructure--
/testfolder/
ldapproxy (LDAPProxy)
acl_users/
testscript (.py)
8 testscript -
return context.ldapproxy.dn
traceback--
Traceback (most recent call last):
File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py,
line 113, in publish
request, bind=1)
File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/mapply.py,
line 88, in mapply
if debug is not None: return debug(object,args,context)
File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py,
line 40, in call_object
result=apply(object,args) # Type scr to step into published object.
File
/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py,
line 311, in __call__
return self._bindAndExec(args, kw, None)
File
/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py,
line 348, in _bindAndExec
return self._exec(bound_data, args, kw)
File
/home/joerg/zope/Zope-2.8.5/lib/python/Products/PythonScripts/PythonScript.py,
line 323, in _exec
result = f(*args, **kw)
File Script (Python), line 1, in testscript
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 727, in guarded_getattr
aq_acquire(inst, name, aq_validate, validate)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 669, in aq_validate
return validate(inst, object, name, v)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 563, in validate
self._context)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 293, in validate
accessed, container, name, value, context)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 808, in raiseVerbose
raise Unauthorized(text)
Unauthorized: Unable to find __roles__ in the container and the
container is not wrapped. Access to 'dn' of test, acquired through
(LDAPProxy at /testfolder/ldapproxy), denied.
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
--
Peter Bengtsson,
work www.fry-it.com
home www.peterbe.com
hobby www.issuetrackerproduct.com
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Acquisition / proxying object
Hi *,
I am trying to have a folderish object that acquires from a user object
(ldapuserfolder). It should have its own properties and contents, but
fall back to the ones of the ldap user.
I have created an object, extending Folder, and it behaves nicely in
zopectl debug. When I try to access it through e.g. a python script I
get an:
Error Type: Unauthorized
Error Value: Unable to find __roles__ in the container and the container
is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at
/testfolder/ldapproxy), denied.
I am sure its my lack of understanding of acquisition. I am trying to
bascially put ldap user object 'on top' of the aquisition line (with the
ldapproxy at the bottom), but obviously failing in doing so. Any ideas?
Cheers,
Joerg
8 excerpt from code ---
class LDAPProxy(Folder):
meta_type='LDAPProxy'
def __init__(self, id, remoteid,title='',REQUEST=None):
self.id = id
self.title = title
self.remoteid = remoteid
def __of__(self, parent):
if not hasattr(parent,'aq_base'):
return self
folder,id = self.remoteid.split(':')
acl = parent.restrictedTraverse(folder)
remote = acl.getUser(id)
return Folder.__of__(self,parent.__of__(remote))
--- teststructure--
/testfolder/
ldapproxy (LDAPProxy)
acl_users/
testscript (.py)
8 testscript -
return context.ldapproxy.dn
traceback--
Traceback (most recent call last):
File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py,
line 113, in publish
request, bind=1)
File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/mapply.py,
line 88, in mapply
if debug is not None: return debug(object,args,context)
File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py,
line 40, in call_object
result=apply(object,args) # Type scr to step into published object.
File
/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py,
line 311, in __call__
return self._bindAndExec(args, kw, None)
File
/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py,
line 348, in _bindAndExec
return self._exec(bound_data, args, kw)
File
/home/joerg/zope/Zope-2.8.5/lib/python/Products/PythonScripts/PythonScript.py,
line 323, in _exec
result = f(*args, **kw)
File Script (Python), line 1, in testscript
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 727, in guarded_getattr
aq_acquire(inst, name, aq_validate, validate)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 669, in aq_validate
return validate(inst, object, name, v)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 563, in validate
self._context)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 293, in validate
accessed, container, name, value, context)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 808, in raiseVerbose
raise Unauthorized(text)
Unauthorized: Unable to find __roles__ in the container and the
container is not wrapped. Access to 'dn' of test, acquired through
(LDAPProxy at /testfolder/ldapproxy), denied.
signature.asc
Description: OpenPGP digital signature
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
On Monday 25 February 2008 20:45:37 Joerg Baach wrote:
Hi *,
I am trying to have a folderish object that acquires from a user object
(ldapuserfolder). It should have its own properties and contents, but
fall back to the ones of the ldap user.
I have created an object, extending Folder, and it behaves nicely in
zopectl debug. When I try to access it through e.g. a python script I
get an:
Error Type: Unauthorized
Error Value: Unable to find __roles__ in the container and the container
is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at
/testfolder/ldapproxy), denied.
I am sure its my lack of understanding of acquisition. I am trying to
bascially put ldap user object 'on top' of the aquisition line (with the
ldapproxy at the bottom), but obviously failing in doing so. Any ideas?
I'm not familiar with LDAPUserFolder (its not really a user object but a user
container, isn't it?) but the error you're getting is a security error -- the
Python Script checks for security attributes before it accesses attributes.
You need to add the appropriate security declarations in your product before
it can be used inside PyScript
You might try the verbose-security directive in zope.conf to debug stuff like
that; I hope it is available in the version of Zope you're running (I'm on
2.10)
As a hack to disable all security checks on a class you can add the attribute
__allow_access_to_unprotected_subobjects__ = 1 , effectively disabling
security. This of course should only be done if you trust your users!
hth
peter.
Cheers,
Joerg
8 excerpt from code ---
class LDAPProxy(Folder):
meta_type='LDAPProxy'
def __init__(self, id, remoteid,title='',REQUEST=None):
self.id = id
self.title = title
self.remoteid = remoteid
def __of__(self, parent):
if not hasattr(parent,'aq_base'):
return self
folder,id = self.remoteid.split(':')
acl = parent.restrictedTraverse(folder)
remote = acl.getUser(id)
return Folder.__of__(self,parent.__of__(remote))
--- teststructure--
/testfolder/
ldapproxy (LDAPProxy)
acl_users/
testscript (.py)
8 testscript -
return context.ldapproxy.dn
traceback--
Traceback (most recent call last):
File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py,
line 113, in publish
request, bind=1)
File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/mapply.py,
line 88, in mapply
if debug is not None: return debug(object,args,context)
File /home/joerg/zope/Zope-2.8.5/lib/python/ZPublisher/Publish.py,
line 40, in call_object
result=apply(object,args) # Type scr to step into published object.
File
/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py,
line 311, in __call__
return self._bindAndExec(args, kw, None)
File
/home/joerg/zope/Zope-2.8.5/lib/python/Shared/DC/Scripts/Bindings.py,
line 348, in _bindAndExec
return self._exec(bound_data, args, kw)
File
/home/joerg/zope/Zope-2.8.5/lib/python/Products/PythonScripts/PythonScript
.py, line 323, in _exec
result = f(*args, **kw)
File Script (Python), line 1, in testscript
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 727, in guarded_getattr
aq_acquire(inst, name, aq_validate, validate)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 669, in aq_validate
return validate(inst, object, name, v)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 563, in validate
self._context)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 293, in validate
accessed, container, name, value, context)
File
/home/joerg/zope/Zope-2.8.5/lib/python/AccessControl/ImplPython.py,
line 808, in raiseVerbose
raise Unauthorized(text)
Unauthorized: Unable to find __roles__ in the container and the
container is not wrapped. Access to 'dn' of test, acquired through
(LDAPProxy at /testfolder/ldapproxy), denied.
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Hi Peter, I'm not familiar with LDAPUserFolder (its not really a user object but a user container, isn't it?) but the error you're getting is a security error -- the Python Script checks for security attributes before it accesses attributes. You need to add the appropriate security declarations in your product before it can be used inside PyScript Well, even with: __allow_access_to_unprotected_subobjects__ = 1 I get the same error. VerboseSecurity is also on. :-( Cheers, Joerg signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that? Yes, I did. If yes, you should see lines like these in your event.log: No, don't :-( But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-) Cheers, Joerg signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
On Monday 25 February 2008 22:45:24 Joerg Baach wrote: I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that? Yes, I did. If yes, you should see lines like these in your event.log: No, don't :-( Strange... But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-) Yes, definitely. Its just with VerboseSecurity its easier to debug... Another option: put a debugger breakpoint (eg. import pdb; pdb.set_trace()) at the place where the Unauthorized exception is raised and inspect the objects peter. Cheers, Joerg ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
On Monday 25 February 2008 21:31:46 Joerg Baach wrote: Hi Peter, I'm not familiar with LDAPUserFolder (its not really a user object but a user container, isn't it?) but the error you're getting is a security error -- the Python Script checks for security attributes before it accesses attributes. You need to add the appropriate security declarations in your product before it can be used inside PyScript Well, even with: __allow_access_to_unprotected_subobjects__ = 1 I get the same error. VerboseSecurity is also on. :-( I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that? security-policy-implementation python in zope.conf If yes, you should see lines like these in your event.log: 2008-02-25T22:30:18 DEBUG ImplPython Unauthorized: Your user account does not have the required permission. Access to 'manage' of (Application at ) denied. Your user account, Anonymous User, exists at /acl_users. Access requires one of the following roles: ['Manager']. Your roles in this context are ['Anonymous']. peter. Cheers, Joerg ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
ps.: http://www.zope.org/Documentation/Books/ZDG/current/Security.stx has old but AFAIK still good info On Monday 25 February 2008 22:45:24 Joerg Baach wrote: I should have mentioned that in order for verbose-security to work you also need to switch to the python security implementation -- did you do that? Yes, I did. If yes, you should see lines like these in your event.log: No, don't :-( But somehow I have the feeling it has more to do with the 'and the container is not wrapped' part of the message. Not that I can make sense of it ;-) Cheers, Joerg ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Hi again,
2008-02-25T22:30:18 DEBUG ImplPython Unauthorized: Your user account does not
have the required permission. Access to 'manage' of (Application at )
denied. Your user account, Anonymous User, exists at /acl_users. Access
requires one of the following roles: ['Manager']. Your roles in this context
are ['Anonymous'].
Actually, if I change my code to something like:
def __of__(self, parent):
'''foo'''
if not hasattr(parent,'aq_base'):
return self
folder,id = self.remoteid.split(':')
acl = parent.restrictedTraverse(folder)
remote = acl.getUser(id)
self = Acquisition.ImplicitAcquisitionWrapper(self, remote)
self = Acquisition.ImplicitAcquisitionWrapper(self, parent)
return self
(idea taken from
http://www.mail-archive.com/[EMAIL PROTECTED]/msg11713.html)
I get a
Error Type: Unauthorized
Error Value: Your user account is defined outside the context of the
object being accessed. Access to 'ldapproxy' of (Folder at /testfolder)
denied. Your user account, admin, exists at /acl_users. Access requires
one of the following roles: ['Manager'].
Well, admin has 'Manager'.
/me scratches his head
Cheers,
Joerg
signature.asc
Description: OpenPGP digital signature
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Acquisition / proxying object
Hi *,
But somehow I have the feeling it has more to do with the 'and the
container is not wrapped' part of the message. Not that I can make sense
of it ;-)
Mmm, after even more searching, and not understanding I found
http://www.mail-archive.com/[EMAIL PROTECTED]/msg11438.html
and changed my code to:
def __of__(self, parent):
'''foo'''
if not hasattr(parent,'aq_base'):
return self
folder,id = self.remoteid.split(':')
acl = parent.unrestrictedTraverse(folder)
remote = acl.getUser(id)
return Acquisition.ImplicitAcquisitionWrapper(aq_base(self),
aq_base(remote).__of__(parent))
Now, this actually seems to work. If only I knew why
Cheers,
Joerg
signature.asc
Description: OpenPGP digital signature
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
