[Zope] proxy roles don't get passed down a method call chain?
Tres Seaver wrote: IIRC, if you had scripta calling scriptb, you used to be able to give scripta a proxy role and scriptb would also execute with that role. However, again IIRC, in current Zope releases, if you give scripta a proxy role, when it calls scriptb, scriptb will just run with the roles of the current user. Have I got this right? If so, I wonder why the change was made... The only change I recall to how proxy roles work is that proxy roles used to *augment* a users' roles; now they *replace* them. Yeah, I wonder if that means if you give it a proxy role of manager, it looses all other roles? I don't know that the case you are talking about (S1 has proxy roles, calls protected S2 fine, Okay, S2 here is "some permission-protected method where the current user doesn't have the required permission"... but fails when calling PR-less S3 which calls S2) ever worked under either scenario. Oh well, I could have sworn it did at one point :-/ Proxy roles have always only been checked for the "topmost" object on the executable stack (S1 in the first example, S2 in the second). Is it something worth adding as a feature request or are there security implications I'm missing? Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] proxy roles on Product methods
Tom, Please keep CC'ing in the list... last warning ;-) Palermo, Tom wrote: edit_html just returns a dtml form edit_html.dtml. If you don't want to show us the *code* for edit_html, we can't help you... I think the auth error is happening when edit_html tries to load the wywiwyg editor. I thought you said edit_html is method on a disk-based python class?! cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] proxy roles on Product methods
Chris Withers wrote at 2006-2-8 23:04 +: > ... >If the code is in a disk-based class method, security won't be coming >into play. Unless you call something with internal security checks (such as e.g. "_verifyObjectPaste" during "manage_paste"). -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] proxy roles on Product methods
Palermo, Tom wrote: Is it possible to set proxy roles on methods located in Zope Products. Not really, why do you think you need to? see them in a sitemap (uses dtml-tree). However, I've got an edit_html method located in a Zope product that then needs to use stuff in one of the folders that has "View" set to off for that user (who's running edit_html). If the code is in a disk-based class method, security won't be coming into play. What errors are you seeing? (if you get an auth box, consider hitting cancel or enabling verbose security in zope.conf, restarting and trying again) cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] proxy roles on Product methods
Palermo, Tom wrote at 2006-2-8 09:59 -0500: >Is it possible to set proxy roles on methods located in Zope Products. No, but I posted some time ago (to "zope-cmf" or "plone-users") code that allows you to set proxy roles on a region in trusted code. Search for "ProxyContext". -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] proxy roles on Product methods
Hi All, Is it possible to set proxy roles on methods located in Zope Products. I need to turn the View permission off on some folders so certain users can't see them in a sitemap (uses dtml-tree). However, I've got an edit_html method located in a Zope product that then needs to use stuff in one of the folders that has "View" set to off for that user (who's running edit_html). Thanks, Tom ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Proxy roles don't propagate? - bizzare permissions from ZDChart too
Brad Clements writes: > ... Proxy role does not propagate ... This has been changed starting with Zope 2.2. The callee no longer inherits the proxy role from its caller but must get its own proxy role. Dieter ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Proxy roles don't propagate? - bizzare permissions from ZDChart too
I'm using LoginManager and the loginForm cookie method for security. I want my login form to use the same standard_html_header, stylesheet and so on as my system. My hierarchy is / Strader StyleSheet acl_Users loginForm I've denied anonymous access to Strader and so on, but I want the loginForm to be able to load standard_html_header, which in turn references a few things in Strader Anyway, my loginForm has this: I've given the loginForm a proxy role called "Customer" Customer has full access to Strader and everything in it. It looks like standard_html_header is rendered, but when standard_html_header calls StyleSheet and other objects in the Strader folder, I get the browser login box. Cancelling that shows "access to StyleSheet denied". Its as if the proxy role assigned to loginForm is discarded by standard_html_header, even though I didn't assign standard_html_header any proxy roles. Is this a bug, or by design? -- Also, I see that I have some very strange permissions in my list, looks like an installed product goofed. I see this single character permissions. A C D G Z a d h r s t Ahh.. Looks like ZGDChart hasn't used a tuple where it should... Brad Clements,[EMAIL PROTECTED] (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] proxy roles in 2.2
Sven Hohage wrote: > > Hi, > I've got two questions. > 1.Is Zope 2.2.0 masking the length of the passwords? > 2. the more important-> > I'm using a method to change properties by form. The user i.e. Tim has > the role manager in the highest user_folder and acquisition is kept but > Zope tells me that the user is not authorized. Why??? > Thanks! in 2.2 proxy roles are that of the object owner. Therefore, the role(s) of the user that calls the object aren't relevant. If you need it to execute with higher permissions you need to give ownership of it to someone with the proper permissions. you may then restrict access to the method according to the authenticated user. hope that helps, -- ethan mindlace fremen Zopatista Community Liason Abnegate I! ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Proxy Roles
Hi, i have a Problem using Proxy-Roles: i have following folders: /foo/ bar1/ comments/ TEMPLATE bar1/ comments/ TEMPLATE barN/ ... /make_a_comment/ submit >From a DTML-Method in "make_a_comment" I want to copy the folder TEMPLATE in a spezified comments-Folder and change some properties. I wrote a dtml-method called "submit": Now I want to use a Proxy-Role for "submit" to make it possible for everyone to add a comment with this method. I added the proxy-role "manager" to the "submit"-method. But if I access submit as anonymous, Zope still means, I don't have permissions to add a folder to /foo/barx/comments/... Any ideas to solve this problem? I use Zope-2.1.4 on a RedHat Linux Thanks Robert -- Robert Wohlfahrt ([EMAIL PROTECTED]) Tel: 0179 / 2980074 Fax: 0351 / 2880145 ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )