My problems on this subject didn't get resolved since my last post, but I have some new info and questions -

The sympthoms (Zope 3.1.0c1):
Database adapters are not usable by principals other than the zope.Manager, in the principals.zcml file. Any other principal is unauthenticated - I tried principals.zcml regular user with zope.ManageContent, zope.UseDatabaseConnections and zope.View granted, pluggable authentication user with the zope.Manager role granted, and finally - principals.zcml regular user with zope.Manager role. All principals are able to see and manage the connection object, but can't retrieve results. This is tested and true for both psycopg and Gadfly database adapters.

This is the exception I get when trying to use SQL script:
* Module zope.app.sqlscript.browser.sqlscript, line 39, in getArguments
      for argname, argvalue in self.context.getArguments().items():

Unauthorized: (<zope.app.sqlscript.sqlscript.Arguments object at 0xa03e86c>, 'items', 'zope.ManageContent')

This is the excpetion from the test page of the connection object (in /++etc++site/tools) when I use principal with zope.Manager granted:
    *  Module zope.app.rdb, line 372, in queryForResults
      cursor = conn.cursor()

Unauthorized: (<zope.app.rdb.ZopeConnection object at 0xad11c2c>, 'cursor', 'zope.ManageContent')

Looking at the code, the ZopeConnection object is created by the ZopeDatabaseAdapter class in zope.app.rdb (inherited by the actual DatabaseAdapter) with a simple call - self._v_connection = ZopeConnection(self._connection_factory(), self) and the ZopeConnection class does not have anything, that deals with security, as far as I can see.

My question is, does this eventually mean, that ZopeConnection objects, which are created at run-time, are not security proxied and consequently unauthorized in all cases (except the system_user) and if yes, what should be done? I'm not familiar with the Zope3 environment and I don't know how and where objects get proxied.
Or is there something I'm missing here ?

Velko Ivanov
Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to