[Zope-CMF] view method not authorized with access restricted to members

Rémi Houdaille Remi.Houdaille@akeirou.com
Sat, 12 May 2001 14:10:33 +0200 

I'm trying to build a CMF Site with access
restricted to registered members only.
Almost everything seems OK, except that
a member cannot view its own documents from the
Desktop page.

Simplest scenario to see the problem:

(With the ZMI)
1- Create a default CMF Site
2- From the Security tab, uncheck the "acquire permissions"
   for the View permission, and give to the Member role
   this permission.
3- Register a member (only the manager may do that).
4- Logout from ZMI as manager.
5- Log in the CMF (url .../logged_in?__ac_name=xxx&_acc_password=yyy)
6- Click MyStuff in the action box
7- Click on index_html in the Desktop :

Traceback (innermost last):
   File /usr/share/Zope-2.3.0-src/lib/python/ZPublisher/Publish.py, line
222, in publish_module
   File /usr/share/Zope-2.3.0-src/lib/python/ZPublisher/Publish.py, line
187, in publish
   File /usr/share/Zope-2.3.0-src/lib/python/ZPublisher/Publish.py, line
162, in publish
   File /usr/share/Zope-2.3.0-src/lib/python/ZPublisher/BaseRequest.py,
line 360, in traverse
   File
/usr/share/Zope-2.3.0-src/lib/python/Products/CMFCore/PortalContent.py,
line 173, in _index_html
     (Object: DynamicType)
   File /usr/share/Zope-2.3.0-src/lib/python/OFS/Traversable.py, line
223, in restrictedTraverse
     (Object: DynamicType)
   File /usr/share/Zope-2.3.0-src/lib/python/OFS/Traversable.py, line
205, in unrestrictedTraverse
     (Object: DynamicType)
   Unauthorized: document_view

More precisely, the member can view the document with URLs
.../Members/xxx/index_html/document_view
.../Members/xxx/index_html
but not with
.../Members/xxx/index_html/view
which is the one called from folder_contents.dtml

Customizing folder_contents so that the objet is
accessed without the view method seems to solve
the problem. But there must be a reason for using
"view" on a portalish content there, so that I'm
afraid of breaking something else...

Also I could not figure out why the authorization failed.
It seems that at some point the "Member" role is lost, and
the security manager only uses "Anonymous", as granting
Anonymous access at the CMF root allows to "view" the doc.
However, granting View permission to Anonymous only on the
index_html doc does not allow to view it...
I would appreciate if somebody can explain that to me.

Thanks for reading so far!

Rémi Houdaille