[Zope] Down-level user folder conflict

Jens Vagelpohl tommymi@concentric.net
Tue, 27 Jul 1999 09:03:27 -0400


hi alex (and everyone else),

i am seeing the *very same* thing on beta1, only difference being i am
trying to use a SQL method stored in the unrestricted parent folder. all of
a sudden i am getting an authorization prompt again. all this worked fine on
alpha3.

in my case the privileged user account is also specifically included in the
parent folder acl_user list because i had problems on alpha3 where pictures
pulled from that unrestricted parent folder wouldn't show and i got asked
for authorization. which is logical, because at that time the parent folder
only knew two accounts: the manager and the anonymous one, it didn't know
who the hell this restricted user was ;)

Jens Vagelpohl



> -----Original Message-----
> From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of
> Alexander Staubo
> Sent: Tuesday, July 27, 1999 08:35
> To: Zope Mailing List (E-mail)
> Subject: [Zope] Down-level user folder conflict
>
>
> I have another interesting authorization failure problem (Zope 2.0.0b1).
>
> Let's say I have folder called Restricted. Permissions for this folder
> is restricted to users of a specific  privileged role called Editor.
> Inside this folder I also have a standard user folder with one such
> Editor user defined.
>
> The problem arises when the user is viewing a document in the Restricted
> folder, and the document is referring to objects -- such as images
> through <img> tags -- from the _unrestricted_ part of the database.
> It'll give "Unauthorized" on these objects no matter what. Remember that
> these objects aren't restricted at all; the Anonymous role has full View
> access.
>
> My suspicion is that if the browser passes an authentication header that
> does not match a valid user (known to the folder or any up-level folders
> through acquisition; in my case the whole idea is that the user folder
> is not visible from the part of the site that the browser passes an
> authentication header to), then Zope will not revert to the anonymous
> role, but will instead just block the user unconditionally.
>
> If I move the user folder into the top-level folder, everything is
> groovy.
>
> Sounds like a bug, anybody care to comment before I bung it in the
> Collector?
>
> --
> Alexander Staubo             http://www.mop.no/~alex/
> "QED?" said Russell.
> "It's Latin," said Morgan. "It means, So there you bastard."
> --Robert Rankin, _Nostramadus Ate My Hamster_
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://www.zope.org/mailman/listinfo/zope
>
> (To receive general Zope announcements, see:
> http://www.zope.org/mailman/listinfo/zope-announce
>
> For developer-specific issues, zope-dev@zope.org -
> http://www.zope.org/mailman/listinfo/zope-dev )
>