[Zope] Sudden authentication problem

Dunigan, Craig craig.dunigan@esker.com
Mon, 2 Apr 2001 11:11:18 -0500


Problem solved, but with more questions for Dieter, or whoever is willing to
answer them; see below.

> > > But the "Unauthorized" exception is already raised when
> > > the catalogued object is looked up.
> > Forgive my inexperience, but how do you know this?
> 
> 
>     REQUEST['AUTHENTICATED_USER'].
>        has_permission('Add EW Nav Links',
>                       
> REQUEST.resolve_url(BASE0+getpath(data_record_id_))))
> 
> raised the "Unauthorized" exception (according to your traceback).
> 
>   In this expression, only "REQUEST.resolve_url(...)"
>   and maybe "getpath" (if your user can not access the catalog, but
>   that seems unlikely) can raise this exception.
>   "REQUEST" and its methods are public, "has_permission" is public,
>   "BASE0" is public (as part of "REQUEST").

I guess I meant how do you know that "getpath" is unlikely to have caused
the exception?  I knew that this line raised the exception, but why couldn't
it have come from "getpath"?  I'm trying here to get at that experienced
programmer thinking that says to you "that seems unlikely".  Are you
trusting that I haven't messed around with the catalog (given my
inexperience, _that_ seems likely, and I haven't)?  Presumably, in the
default configuration, the catalog is viewable by all users, including
"Anonymous", and as far as I know, that hasn't been modified.  But isn't
"getpath" going to cause an "Unauthorized" exception if the object referred
to by "data_record_id" in that particular iteration of the loop is
inaccessible, and not just if the catalog itself is inaccessible?  Or does
"getpath" not cause an access check?

>  > ....
>  > <dtml-call "REQUEST.set('YihawFolders', [])">
>  > <dtml-in expr="Catalog({'meta_type':'Yihaw Folder'})">
>  >   <dtml-if 
> "REQUEST['AUTHENTICATED_USER'].has_permission('Add EW Nav Links',
>  > REQUEST.resolve_url(BASE0+getpath(data_record_id_)))">
>  >     <dtml-call "YihawFolders.append(getpath(data_record_id_))">
>  >   </dtml-if>
>  > </dtml-in>
> 
> As a workaround, you could wrap your "if" into a "dtml-try".
> If you get an "Unauthorized" exception, it should surely not be
> in your "YihawFolders" list.
> 

This is of course exactly what I needed to do, thank you.  It turns out that
users want to secure some folders from general access, which was not part of
our original design, so the original programmer didn't take it into account.
So now, with a nice little try/except, all is well again.  Thanks much!

BTW, Dieter, I've begun reading your book in the five minutes a day I
laughingly refer to as my "free time."  Excellent work!

Craig