[Zope-dev] But I used __ac_permissions__! :S

Phillip J. Eby pje@telecommunity.com
Fri, 01 Sep 2000 14:38:48 -0500 

This is just a SWAG (Strategic Wild-Ass Guess), but Ty and I have been
having a problem with the search feature in Squishdot 0.7.0 that seems
possibly to be related.  Our trace of the problem shows that catalog
searches from the SquishSite return objects which are wrapped with a
*different* acquisition hiearchy than the SquishSite itself or from the
User object it's trying to check roles on.  Thus, *even though* the user
has the right roles, user.allowed() disallows the roles as invalid because
they're being granted from a (seemingly) different hiearchy.

What we found is that ZCatalog uses the older REQUEST.resolve_url() method
to access the "true" objects, which has this side effect.  If it used the
new 2.2 traverse methods, the acquisition hierarchy would be the same.  As
it stands, the objects returned by ZCatalog.getobject (by way of
SquishSite.__call__) even have different REQUEST objects than the original
REQUEST object for the web hit.

Does this sound like it's anything related to the problems you're having?

At 05:00 PM 9/1/00 +0100, Chris Withers wrote:
>Brian Lloyd wrote:
>> 
>> Here's a quick thing to try- if 'subject' is an attribute
>> of your Article class, try adding:
>> 
>> class Article(...):
>>   subject__roles__=None
>> 
>> then restart and see if you still get unauthorized...
>
>yup, I do :-(
>
>And besides, 'subject' is already in __ac_permissions__, as you can see:
>
>(a lot of stuff snipped out though ;-)
>
>    __ac_permissions__ = (
>        ('View', ['subject','getThread'], ('Anonymous', 'Manager')),
>        )
>
>and I do appropriate Globals.default__class_init__'s...
>
>Man, I really have no idea, and not even any clue where to look.
>
>The big factor seems to be that 'subject' is a string. I had a similar
>problem with the SquishFile class with the 'icon' attribute.
>
>When it was a string:
>
>    # protected by 'View' permission
>    icon = 'misc_/Squishdot/squishfile_img'
>
>..even though it was a class variable and protected in
>__ac_permissions__, I was getting very similar errors to the above...
>
>I was lucky, in that case, because it was a class variable, I could turn
>it into a method:
>
>    # protected by 'View' permission
>    def icon(self):
>        return 'misc_/Squishdot/squishfile_img'
>
>..and, lo and behold, no more security errors from there... :S
>
>Unfortunately, the string attributes in the Article class are instance
>attributes, not class attributes, so I can't do the same thing :-(
>
>Any ideas?
>
>cheers,
>
>Chris
>
>_______________________________________________
>Zope-Dev maillist  -  Zope-Dev@zope.org
>http://lists.zope.org/mailman/listinfo/zope-dev
>**  No cross posts or HTML encoding!  **
>(Related lists - 
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope )
>
>
>