Re: [Zope] Deleting objects from an external method
Nikko Wolf wrote at 2005-10-17 16:21 -0600: ... File /usr/local/zinstance/Products/CMFPlone/PloneFolder.py, line 306, in manage_delObjects raise Unauthorized, ( Unauthorized: Do not have permissions to remove this object This obviously is the Plone implementation of manage_delObjects -- and it apparently performs an explicit check (unlike Zope's manage_delObjects). You should ask Plone related questions on the Plone (and not the Zope) mailing list. Things can be quite different in Plone land (as e.g. for manage_delObjects). -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Nikko Wolf wrote: That was my expectation too, but alas -- it does not work for me. Have you specifically tried this? Yes, many times... Set up: - Plone Site with Delete objects permission granted only to Manager (not inheriting privs) - (Plone) Folder abc with an object xyz under the Plone Site (inheriting privs) Well, you're using Plone, so you're on your own. It or CMF may do some other funky permissions checks on delete which are screwing you up... Browser shows: Insufficient Privileges You do not have sufficient privileges to view this page. If you believe you are receiving this message in error, please send an e-mail to File /usr/local/zinstance/Products/CMFPlone/PloneFolder.py, line 306, in manage_delObjects raise Unauthorized, ( Unauthorized: Do not have permissions to remove this object You should install VerboseSecurity if using Zope 2.7 or enable in in zope.conf if using Zope 2.8, it will tell you more... But, look at that traceback, it's coming from PloneFolder.py (suprise, suprise) so you'll have to go there and find out what funky nastiness is lurking ;-) cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Nikko Wolf wrote: I'm trying to allow users to delete objects that have been accidentally created. I have criteria for what that means, but since I *DO NOT* want them to delete object except by this method, I want to avoid granting Delete objects to them (non-Managers). Have the delete process done in a python script or external method. Only give view permission to that method to people who you want to be able to delete objects. If it's a python script, give it a Proxy role that has the Delete objects permission mapped, and you'll be fine :-) cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Dieter Maurer wrote:
Nikko Wolf wrote at 2005-10-14 15:37 -0600:
I'm trying to allow users to delete objects that have been accidentally
created. I have criteria for what that means, but since I *DO NOT* want
them to delete object except by this method, I want to avoid granting
"Delete objects" to them (non-Managers).
Can this even be done? At the base level, "Delete objects" is a
hard-coded requirement of the ObjectManager.manage_delObjects() function.
Usually, an "External Method" is not restricted by Zope's
security.
Unless "manage_delObjects" does not perform an additional
internal check (I think, it does not), your "External Method"
can use it to delete objects.
My question stemmed from the fact that (for reasons I cannot not
duplicate), I was repeatedly getting Unauthorized exceptions using the
manage_delObjects() function. Thus, I moved the functionality into an
External Method, intending to avoid the restrictions.
But even there, throughout changes too numerous to remember now, the
Unauthorized problem persisted. Then, after snooping around I found
code in zope/lib/python/OFS/ObjectManager.py that set
__ac_permissions__ with an entry:
('Delete objects', ('manage_delObjects',))
... hence my thought was that the ObjectManager class had the
requirement builtin at the source code level. Even trying new
security context (created from within the External Method) did not work.
After many hours of effort and debugging, I find that it works in a
"Script (Python)" with precisely the same code that I (thought I) used
originally. Obviously, something is different, but unless it was a
subtle typo that compiled correctly and worked (but not as desired) I
cannot fathom what has changed.
BTW: Often, it is more faster simply to try something than
to post a question to the mailing list and wait for the answer.
Your question above is such a case ...
Indeed, I know that well. I *had* tried a multitude of variations
before sending; and I'd originally included details in the first
posting, but deleted it before I sent it since the question seemed to
stand on its own.
Thanks anyway,
Nikko
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Chris Withers wrote:
Nikko Wolf wrote:
I'm trying to allow users to delete objects that have been
accidentally created. I have criteria for what that means, but since
I *DO NOT* want them to delete object except by this method, I want
to avoid granting Delete objects to them (non-Managers).
Have the delete process done in a python script or external method.
Only give view permission to that method to people who you want to
be able to delete objects.
If it's a python script, give it a Proxy role that has the Delete
objects permission mapped, and you'll be fine :-)
That was my expectation too, but alas -- it does not work for me. Have
you specifically tried this?
Set up:
- Plone Site with Delete objects permission granted only to Manager
(not inheriting privs)
- (Plone) Folder abc with an object xyz under the Plone Site
(inheriting privs)
- The following Script (Python) named nuke and with Manager
proxy role.
- Non Manager user
- Load URL: {plone-root}/abc/xyz/nuke
Browser shows:
Insufficient Privileges
You do not have sufficient privileges to view this page. If you believe
you are receiving this message in error, please send an e-mail to
The events.log shows:
2005-10-17T16:16:34 ERROR(200) SiteError
http://localhost:8080/PloneRoot/abc/xyz/nuke
Traceback (most recent call last):
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 101, in
publish
request, bind=1)
File /usr/local/zope/lib/python/ZPublisher/mapply.py, line 88, in mapply
if debug is not None: return debug(object,args,context)
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 39, in
call_object
result=apply(object,args) # Type scr to step into published object.
File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
306, in __call__
return self._bindAndExec(args, kw, None)
File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
343, in _bindAndExec
return self._exec(bound_data, args, kw)
File
/usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py,
line 324, in _exec
result = f(*args, **kw)
File Script (Python), line 16, in mlt
File /usr/local/zinstance/Products/CMFPlone/PloneFolder.py, line
306, in manage_delObjects
raise Unauthorized, (
Unauthorized: Do not have permissions to remove this object
The script is:
## Script (Python) nuke
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=
##title=My Test Script
##
from Products.PythonScripts.standard import html_quote
objid = context.getId()
folder = context.aq_inner.aq_parent
mylog = folder.plone_log
#
## DELETION CRITERIA CHECKS OMITTED
# So, now we delete it...
member = context.portal_membership.getAuthenticatedMember()
mylog( %s deletes (%s) from (%s) %\
(member.id, context.absolute_url(), folder.absolute_url()))
resp = folder.manage_delObjects( [objid] )
mylog( folder.{%s}.manage_delObjects(['%s'] = {%s}\nCTX=%s %
(folder.absolute_url(), objid,
folder.dumpIt( resp ), folder.absolute_url()))
mylog( Remaining: + str(folder.objectIds()) )
# Set 'text' for the portal_status_message
text = No exceptions deleting '%s' % objid
if objid in folder.objectIds():
text += / ID is still there
else:
text += / ID is gone
if context in folder.objectValues():
text += / OBJECT is still there
else:
text += / OBJECT is gone
context.REQUEST.RESPONSE.redirect( folder.absolute_url() +
'?portal_status_message=' +
html_quote(text))
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Deleting objects from an external method
Nikko Wolf wrote at 2005-10-14 15:37 -0600: I'm trying to allow users to delete objects that have been accidentally created. I have criteria for what that means, but since I *DO NOT* want them to delete object except by this method, I want to avoid granting Delete objects to them (non-Managers). Can this even be done? At the base level, Delete objects is a hard-coded requirement of the ObjectManager.manage_delObjects() function. Usually, an External Method is not restricted by Zope's security. Unless manage_delObjects does not perform an additional internal check (I think, it does not), your External Method can use it to delete objects. BTW: Often, it is more faster simply to try something than to post a question to the mailing list and wait for the answer. Your question above is such a case ... -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
