[Zope-PAS] AW: Re: Strange authorization problems in subfolders under PAS

bernd.grobauer at krakel.de bernd.grobauer at krakel.de
Wed Nov 23 04:51:03 EST 2005


Hi,

>The user's ID is probably 'auth_zopeadmin', while the login name is
>'zopeadmin';  this assumes that your user source (a ZODBUserManager?)
>uses the prefix, 'auth'.  If you show 'user/getId', is it 'auth_zopeadmin'?

You were right: the UserId is 'auth__zopeadmin' -- and the name of
our scriptable plugin is 'auth' -- I guess that is where it inherits
the 'auth' from. I redid the experiments:

- calling 'index_html' in the same folder as the PAS-user-folder is
  located works also if index_html has owner 'auth__zopeadmin'

- calling 'index_html' owned by 'auth__zopeadmin' when located in 
  a folder somewhere under the
  PAS-user-folder in the hierarchy gives the following error message:

  Error Type: Unauthorized
  Error Value: The owner of the executing script does not have the required
  permission. Access to 'meta_type' of (PythonScript at 
  /test/subfolder/index_html) denied. Access requires View_Permission, 
  granted to the following roles: ['Authenticated', 'Manager', 'Owner']. 
  The executing script is (PythonScript at
  /test/subfolder/index_html), owned by Anonymous User, 
  who has the roles ['Anonymous'].

  The same happens if I set the proxy-role of the script to, say 'Manager'.

I guess I could just solve my problem by granting View to 'Anonymous',
but there is obviously something fundamental I do not understand:

- why do objects in subfolders react differently?

- how does the 'old' Zope authenication with the regular 'userfolder' 
  at top level and PAS users? For the user itself, it does not
  matter if he has a funny id such as 'auth__zopeadmin', becaus I can
  grant roles to him no matter what the name is via PAS. But what about
  scripts and their owners?


Best regards,

Bernd


More information about the Zope-PAS mailing list