[Zope-dev] Re: Not authorized to access binding

Tres Seaver tseaver at palladion.com
Thu May 25 12:49:57 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Beamud Montero wrote:
> Hi all:
> I'm using Zope 2.7. I have created a product that inherits from Folder.
> The security assertions are::
> 
> security = ClassSecurityInfo()
> security.declareObjectProtected('View management screens')
> 
> But I need to publish some ZPT methods public. I have declared them:
> 
>     security.declarePublic('my_stations')
>     my_stations = PageTemplateFile('wsdl/my_stations.wsdl.zpt',
> globals())
>     my_stations.content_type = 'text/xml'
> 
> And 'wsdl/my_stations.wsdl.zpt' has only a reference to absolute_url in:
> -------------------
> ...
>  <port binding="tns:StationsBinding" name="port">
>             <soap:address tal:attributes="location here/absolute_url"
> location="http://localhost:8000/ccx/StationsService"/>
>         </port>
> ...
> 
> The problem is trying to access to this method as anonymous user gives
> me:
> ----------------------------------------------------------------
> ...
> Module Products.PageTemplates.Expressions, line 189, in _eval
> Module Products.PageTemplates.Expressions, line 145, in _eval
> __traceback_info__: here
> 
> Module Products.PageTemplates.Expressions, line 323, in restrictedTraverse
> __traceback_info__: {'path': [u'absolute_url'], 'TraversalRequestNameStack': []}
> 
> Module Shared.DC.Scripts.Bindings, line 176, in __getattr__
> Module Shared.DC.Scripts.Bindings, line 182, in __you_lose</li>
> Unauthorized: Not authorized to access binding: context (Also, an error occurred while attempting to render the standard error message.)
> ----------------------------------------------------------------
> With other methods declared publics all works ok (like published via SOAP)... 
> Can any one help me?

Your template uses 'here', which is and alias for the 'context' binding,
i.e. the object through which the template was acquired.  That object
has permission settings which prevent anonymous access *to the object*,
which makes its use in a path expression impossible, even though the
'absolute_url' method of that object *would* be accessible by anonymous.

If this template needs to be renderable by anonymous users even for
contexts to which they do not have access, then you can give the
template a proxy role which *does* have access.  Use with caution, and
double check that the template won't expose any data which *should* be
protected.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEdeA0+gerLs4ltQ4RAh8NAJ4x4u6UZ1L56x60f6gaXUzV/yX6igCcCEFV
2ug9atblCMjSgqPiYtU6nOI=
=2Cnb
-----END PGP SIGNATURE-----



More information about the Zope-Dev mailing list