We are currently having problems trying to get authorization working with Plone 2.5.2, Zope 2.9.6, and Python 2.4.3 using pubcookie and a multi-plugin to communicate with pubcookie. We've verified that pubcookie is working properly and that user names are getting passed on to Zope, but the right roles are not assigned to the deserving users. Below are the steps to repro the problem:

- Setup Zope instance for pubcookie plugin by following the steps listed under http://www.washington.edu/webinfo/case/zope/ - Setup two users, one of whom will need Manager privileges under the root acl_users ([ZopeSiteRoot]/acl_users/roles/manage_workspace), the second will need Manager privileges under a Plone site ([ZopeSiteRoot]/plone/acl_users/portal_role_manager/manage_workspace). Users should not be listed under both the root acl_users and the Plone site acl_users.

* Scenario 1
- Install the PubcookiePAS multiplugin by going to the root acl_users and clicking Pubcookie PAS Multiplugin from the dropdown menu and clicking Add.
     - Enter in a vaild id and name, along with the valid login page
- Under the acl_users plugins (acl_users/plugins/manage_workspace), add the PubcookiePAS multiplugin to each of the Authentication, Challenge, Reset Credentials, and Extraction plugins.
    * Expected behavior:
When the plugin is functioning properly, users should be able to authenticate via pubcookie, zope admins should be able to modify all sites, and site admins should be able to modify the sites that they are have Manager priveleges for.
    * Actual behavior:
Zope admins are still able to modify all sites, but site admins lose all admin privileges for the sites they should be able to edit.

* Scenario 2**
- Instead of adding PubcookiePAS to the root acl_users, go to a site's acl_users folder and add it there. - As above, enter in a valid id, name, and login page, and enable the plugin for Authentication, Challenge, Reset Credentials, and Extraction plugins.
    * Expected behavior:
Same as above - that both site admins and zope admins have full access to the sites under their control according to the roles given
    * Actual behavior:
Site admins are still able to modify their sites and access [SiteName]/manage, but zope administrators are no longer able to affect change in the site the PubcookiePAS plugin was installed under. (**Note: after this is done you'll need to remove the plugin from the site's acl_users with a manager under this site, since your zope admin will no longer be able to access it via the zmi. Make sure you have a site administrator that you have access to before installing the plugin).

We feel that the proper way to install the plugin would be to follow the steps in scenario 1 - and in fact this at one point worked properly.

We've done some debugging of the issue but have been unable to come up with a definitive solution, and at the moment I seem to have hit a dead end in the code... Traversal seems to follow
PluggableAuthService.validate( self, request, auth, roles=_noroles )
 -> PluggableAuthService._findUser( plugins, user_id, login, request )
    -> ZODBRoleManager.getRolesForPrincipal( user, request )
       -> ZODBRoleManager._principal_roles.get( principal.getId(), () )

The final call is on line 95 of ZODBRoleManager and returns an empty array instead of the Manager role as expected and hoped for. That line is

     result = list( self._principal_roles.get( principal.getId(), () ) )

_principal_roles would seem to contain the roles for all users, but roles are only given for the context the PubcookiePAS is installed in (the root level acl_users folder). For example, calling


returns ('Manager', 'Owner').  However, calling


returns () - an empty array. The problem would seem to be that when self._principal_roles is populated it only adds users and roles from the zope root level acl_users folder, not from any of the nested Plone site acl_users folders. Unfortunately, I seem to lose the trail about here and can't find where _principal_roles is definitively set. I believe the solution should be that self._principal_roles.get('ValidSiteManagerUser') returns at the very least ('Manager') - any ideas on how to achieve this?

Michael Gilbert
Software Support Group, University of Washington

Zope-PAS mailing list

Reply via email to