[Zope-CMF] [Warning] CMF upgrade made login impossible

Tres Seaver tseaver@zope.com
Wed, 09 Jan 2002 08:08:38 -0500


Dieter Maurer wrote:

> Yesterday, I upgraded to the current CVS version of CMF.
> Today, I recognized that I were no longer able to login.
> 
> The analysis revealed:
> 
>   "RegistrationTool.RegistrationTool.setProperties" is called in
>   "logged_in" in order to set the time of last login.
>   The method is protected by "SetOwnProperties".
> 
>   Apparently, the default roles for "SetOwnProperties" have
>   been "Manager, Member". But after the upgrade, they are now
>   only "Manager,". Of course, a normal member is now no
>   longer able to login, because the call to "setProperties"
>   raises an "Unauthorized" exception that is redirected to
>   the login form again.


Dieter,

The "default roles" for those permissions, registered in
CMFCore.CMFCorePermissions, can include only standard
Zope roles, and therefore don't include "Member".  The
code which does this has not changed since CMF 1.0 beta.

   http://cvs.zope.org/CMF/CMFCore/CMFCorePermissions.py?annotate=1.10

The portal setup code in CMFDefault.Portal.PortalGenerator
maps those permissions onto the roles 'Manager' and 'Member',
and has done so since the initial checkin of the module:

   http://cvs.zope.org/CMF/CMFDefault/Portal.py?annotate=1.28

That code is run only when creating a new site.

I don't know of *any* code which would have cleared the

non-acquired role-permission mappings on the CMFSite instance
during the upgrade, and would be quite surprised to find
any (as the dogbowl would have died, for instance, when I
upgraded it to CMF 1.2 beta).  In fact, there should not be
any write transaction which occurs "automagically" to your
site object as a result of upgrading the CMF products on
disk.


> This problem was very nasty to analyse, as the error page was replaced
> by the login form :(
> 
> Fortunately, the work around was easy. Map "Set own properties" to
> "Member" in the security tab.
> 
> "SetOwnPassword" and several other registration permissions got
> changed their default roles in a similar way. They may exhibit similar
> problems.


Can you track down at all (the Undo log, maybe) what caused

the transaction which modified the mappings?

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com