[Zope-dev] Authentification bug in 2.6.4

Dieter Maurer dieter at handshake.de
Sat Jan 8 13:59:40 EST 2005

Frederic de Zorzi wrote at 2005-1-7 21:51 +0100:
>After disabling Anonymous access in "Wedbav Access" permission on root 
>folder, I've lost all non-Manager accesses in 2.6.4 servers :
>Each time I try to access a restricted page (anonymous access works), 
>I have the folowing :
>Traceback (innermost last):
>  Module ZPublisher.Publish, line 89, in publish
>  Module ZPublisher.BaseRequest, line 438, in traverse
>  Module ZPublisher.HTTPResponse, line 663, in unauthorized	
>Unauthorized: <strong>You are not authorized to access this resource.</strong>
>I've reactivated anonymous access for webdav, same thing. This happens with our
>4 zope servers (debian woody, zope 2.6.4, python 2.1) :(((

Almost surely, this has nothing to do with your "webdav" access

When you look at the code near line 663 of
".../ZPublisher.BaseRequest.py" you will probably see
something like:

            if user is None and roles != UNSPECIFIED_ROLES:

If this is the case (I am not sure as my Zope version is much more
modern than yours ;-) ), then this means:

  *  you try to access a protected object ("roles != UNSPECIFIED_ROLES")

  *  the user folder was not able to authenticate a user
     with the required roles ("user is None").

You should log in as "Emergency User" (Howto on Zope.org)
and analyse your user folder.

If this does not reveal a problem, then maybe the necessary
roles have been erroneously determined. Long ago (much before
Zope 2.6), I have seen security settings disappearing (twice,
not reproducible, unexplained). Check especially the "security" tab
of the "Root Folder" (again as EmergencyUser) that it grants
all permissions to "Manager".


More information about the Zope-Dev mailing list