Joerg Baach wrote at 2008-2-25 19:45 +0000:
> ...
>I am trying to have a folderish object that acquires from a user object
>(ldapuserfolder). It should have its own properties and contents, but
>fall back to the ones of the ldap user.
>I have created an object, extending Folder, and it behaves nicely in
>zopectl debug. When I try to access it through e.g. a python script  I
>get an:
>Error Type: Unauthorized
>Error Value: Unable to find __roles__ in the container and the container
>is not wrapped. Access to 'dn' of test, acquired through (LDAPProxy at
>/testfolder/ldapproxy), denied.

When you access attribute "x" (with value "xv") on object "o",
Zope will first check whether "xv" has security declarations (more
precisely, a "__roles__" attribute). If it has, they are used.
Otherwise, Zope checks for "o.x__roles__". If found, they are used.
Otherwise, "o.__roles__" may be examined (under some circumstances).

Note that for most security declarations,
"o" needs to be fully acquisition wrapped.
Otherwise, there may be two problems:

  *  Zope cannot find the information to map permissions to roles
     (as this mapping is defined on the acquisition path leading
     to the root)

  *  "o" does is not "covered" by the user folder which
     has identified the current user.

     A user has only special roles on objects "covered" by
     its user folder.

     A object is "covered" by a user folder, when the object
     lies in the subtree rooted in the user folder's container.

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to