Re: [Zope] ZWiki RecentChanges don't work in Zope 2.2.x

2000-09-25 Thread Simon Michael

what Martijn said (thanks Martijn). 

Another quick workaround mentioned on ZWikiProblems: you could remove
the calls to getSize and similar attributes from your recentchanges
page.  Then Access Contents Information should be sufficient.

-Simon

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] ZWiki RecentChanges don't work in Zope 2.2.x

2000-09-25 Thread Martijn Pieters

On Mon, Sep 25, 2000 at 04:14:03PM +0100, Chris Withers wrote:
> ...you get an authorization error :-(
> 
> This is because this Wiki isn't (and shouldn't) be publicly viewable or
> editable.
> 
> So, Anonymous doesn't have 'View' permission on the folder. I've given
> Anonymous 'Access Contents Information', the usual nasty hack I had to
> do before, but now that just changes the error message :-S (it's in a PS
> below)
> 
> I guess the Interfaces Wiki does pretty much this, but RecentChanges
> works there. What tweaks to permissions and code have been made there?
> 
> This all stems from the fact that DTML in Wiki code _always_ executes
> with the Anonymous role. That's stoopid :-(
> Wouldn't it make more sense for it to execute with whatever Proxy Roles
> that Wiki Page has?
> I would code this myself, but I don't know how. Any ideas?
> 
> Any other thoughts about the problem?

I have seen the same problem; the getSize method isn't accessible to
RecentChanges, even though the Authenticated User has the View permission.
Only when you explicitly give Anonymous the View permission on the Folder
(or every individual ZWiki page), will RecentChanges render.

This is caused by specific 'safetybelting', implemented by Jim Fulton, to
mitigate the risks of ZWikis becoming an easy entry point for a Trojan
Horse attack. 

With the new security policy in Zope 2.2, this is no longer necessary, and
you can comment out the restriction. Just remove or comment out the
'validate' method in the file Products/ZWiki/ZWikiPage.py and restart your
Zope server. Note that on a pre-2.2 server, this means that any DTML code
executed in a ZWiki page will be executed with the rights of the viewer!

If you still have problems, make sure that the Owner of the RecentChanges
object has rights to 'View' the ZWiki pages.

The Interfaces Wiki (and all other Zope.org Wikis) allow Anonymous to
View, only Editing and Adding new Wiki pages is restricted.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Digital Creations  http://www.digicool.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




[Zope] ZWiki RecentChanges don't work in Zope 2.2.x

2000-09-25 Thread Chris Withers

...you get an authorization error :-(

This is because this Wiki isn't (and shouldn't) be publicly viewable or
editable.

So, Anonymous doesn't have 'View' permission on the folder. I've given
Anonymous 'Access Contents Information', the usual nasty hack I had to
do before, but now that just changes the error message :-S (it's in a PS
below)

I guess the Interfaces Wiki does pretty much this, but RecentChanges
works there. What tweaks to permissions and code have been made there?

This all stems from the fact that DTML in Wiki code _always_ executes
with the Anonymous role. That's stoopid :-(
Wouldn't it make more sense for it to execute with whatever Proxy Roles
that Wiki Page has?
I would code this myself, but I don't know how. Any ideas?

Any other thoughts about the problem?

cheers,

Chris

PS:

Unauthorized
  
You are not authorized to access getSize

Traceback (innermost last):
  File /mnt/data/2/zope/2-2-2_base/lib/python/ZPublisher/Publish.py,
line 222, in publish_module
  File /mnt/data/2/zope/2-2-2_base/lib/python/ZPublisher/Publish.py,
line 187, in publish
  File /mnt/data/2/zope/2-2-2_base/lib/python/ZPublisher/Publish.py,
line 171, in publish
  File /mnt/data/2/zope/2-2-2_base/lib/python/ZPublisher/mapply.py, line
160, in mapply
(Object: RecentChanges)
  File /mnt/data/2/zope/2-2-2_base/lib/python/ZPublisher/Publish.py,
line 112, in call_object
(Object: RecentChanges)
  File
/usr/local/zope/2-2-2_base/lib/python/Products/ZWiki/ZWikiPage.py, line
178, in __call__
(Object: RecentChanges)
  File
/usr/local/zope/2-2-2_base/lib/python/Products/ZWiki/ZWikiPage.py, line
223, in render_htmldtml
(Object: RecentChanges)
  File /mnt/data/2/zope/2-2-2_base/lib/python/OFS/DTMLDocument.py, line
177, in __call__
(Object: RecentChanges)
  File
/mnt/data/2/zope/2-2-2_base/lib/python/DocumentTemplate/DT_String.py,
line 528, in __call__
(Object: RecentChanges)
  File /mnt/data/2/zope/2-2-2_base/lib/python/DocumentTemplate/DT_In.py,
line 691, in renderwob
(Object: aq_parent.objectValues(spec='ZWiki Page'))
  File
/mnt/data/2/zope/2-2-2_base/lib/python/DocumentTemplate/DT_Util.py, line
337, in eval
(Object: _.getitem('sequence-item').getSize())
(Info: _)
  File , line 0, in ?
  File
/mnt/data/2/zope/2-2-2_base/lib/python/DocumentTemplate/DT_Util.py, line
140, in careful_getattr
  File
/usr/local/zope/2-2-2_base/lib/python/Products/ZWiki/ZWikiPage.py, line
501, in validate
(Object: RecentChanges)
Unauthorized: (see above)

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )