On Tue, Mar 31, 2009 at 02:09:34PM -0700, Douglas Cerna wrote:
> Hi.
> 
> I had a similar error and fixed it modifying:
> 
> >>> browser.addHeader('Authorization', 'Basic mgr:mgrpw')
> 
> To:
> 
> >>> browser.addHeader('Authorization', 'Basic globalmgr:globalmgrpw')
> 
> Both principals are defined in the ftesting.zcml file of your project,
> but just the globalmgr has the Manager role assigned.

This is intentional and tends to expose bugs in your application.

If you have an object without a correct __parent__ chain leading to the
ZODB root, your object will never see local security grants (such as
mgr:mgrpw has) so any users defined TTW won't be able to access it.

The fix is to ensure that *every* object of your application has a
__parent__.

(Note that this use of __parent__ for security is independent from
containment -- you don't need your objects to provide ILocation, or have
__name__'s -- the Zope 3 security mechanism looks at __parent__
attributes without checking interfaces.)

Marius Gedminas
-- 
Life begins when you can spend your spare time programming instead of
watching television.
                -- Cal Keegan

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Reply via email to