[Zope] Just info: Bad interaction between session and security

[Jean Jordaan]

Hi all

I'm posting this in case I can save someone coming later from
some grief.

I was stumped: playing through a series of forms in my app as
manager, everything is fine. But when I login as a different user,
Zope raises a KeyError at the final step. This is what I log:

==> var/z2.log <==
------
2003-05-22T16:43:18 INFO(0) MyDebugLog
assessment_add> == state == finish ================------
2003-05-22T16:43:18 INFO(0) MyDebugLog
assessment_add> a_session: {'currentstate': 'finish', 'assessed_path': 
'/qy/positions/pete_smith_OrganisationPosition_163027/pete_smith_OrganisationPosition_174202', 
'assessment_type': 'q_1', 'assessed_type': 'OrganisationPosition'}------

2003-05-22T16:43:18 INFO(0) MyDebugLog
assessment_add> == state == finish ================------
2003-05-22T16:43:18 INFO(0) MyDebugLog
assessment_add> a_session: {'assessment_type': 'q_1', 'currentstate': 
'finish'}------

The weird thing is that 'a_session' is only logged *once* for
state 'finish' in my script. Yet here it is logged twice in the
same second. The first time with all the necessary keys on the
session, the next time with keys missing, causing a KeyError.

It turns out that a call in my method was accessing an object
for which the user doesn't have rights, but Zope showed no trace
of this. The result was that Mozilla dropped all authentication
info and the request was resubmitted, which triggered the second
log: now as an unauthenticated user, without the necessary info
on their session. It cost me a good few hours to cotton on ..

-- 
Jean Jordaan
http://www.upfrontsystems.co.za