My Zope server uses exUserFolder and PostgreSQL for authentication. I turned on query logging today for unrelated reasons, and noticed an almost continuous stream of queries:
SELECT * FROM passwd where upper(username)=upper('kirk') SELECT * FROM passwd where upper(username)=upper('kirk') SELECT * FROM passwd where upper(username)=upper('kirk') SELECT * FROM passwd where upper(username)=upper('kirk') where "kirk" is my own username. The problem was that I wasn't logged in at the time. I traced the problem back to our main page template, which starts with: <head> <title>Example.com : <span tal:replace="template/title_or_id">Page Title</span></title> </head> Being curious, I changed my username in the PostgreSQL table to "kirk_foo", and watched as my logfiles began filling with 401 errors with backtraces like: Time 2006/03/23 13:46:38.832 US/Central User Name (User Id) ourcustomer (ourcustomer) Request URL http://www.example.com/invoices/index_html Exception Type Unauthorized Exception Value You are not allowed to access 'title_or_id' in this context as customers get messages like: Site Error An error was encountered while publishing this resource. Error Type: Unauthorized Error Value: You are not allowed to access 'title_or_id' in this context Now, "ourcustomer" has full rights to the "invoices" folder and all files in it, but they can't execute the "title_or_id" method on objects inside. Also, how on Earth did my username get dragged into this? As the main site developer, I own all the objects in the site, but I don't have any odd Proxy access set up. I can't figure out why customers are trying to call title_or_id as me in the first place, let alone why it fails. Any insight? -- Kirk Strauser The Day Companies _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )