[Zope] zope 2.7: Unauthorized "in this context"

John Hunter jdhunter at ace.bsd.uchicago.edu
Wed Jun 15 10:48:41 EDT 2005 

>>>>> "Dieter" == Dieter Maurer <dieter at handshake.de> writes:

    Dieter> John Hunter wrote at 2005-6-7 09:52 -0500:
    >> ...  Traceback (innermost last): ...  URL:
    >> http://srp.uchicago.edu/2005/Sections/B1/Amrita%20Arora/ProjectSubmission_addForm/manage_main
    >> Physical Path:/srp/2005/Sections/B1/Amrita
    >> Arora/ProjectSubmission_addForm * Module
    >> DocumentTemplate.DT_String, line 474, in __call__ * Module
    >> DocumentTemplate.DT_With, line 76, in render
    >> 
    >> Unauthorized: You are not allowed to access 'mentor' in this
    >> context

    Dieter> The "VerboseSecurity" product may give you more detailed
    Dieter> information.

Hi Dieter,

I installed VerboseSecurity and now get a more helpful error message
in the log (to refresh your memory, this is a pure ZClass based
product which stopped working on an upgrade to 2.7).  Here is the
updated message

  Exception Type  	Unauthorized

  Exception Value The container has no security assertions. Access to
  'mentor' of (FactoryDispatcher instance at 40aeafb0) denied.

I googled this error message and found this thread,
http://www.gossamer-threads.com/lists/zope/users/176379.  You
responded to the OP


  > Unauthorized: The container has no security assertions. Access to
  > 'title_or_id' of (FactoryDispatcher instance at e68510)
  > denied. (Also,
  > an error occurred while attempting to render the standard error message.)

  This is very strange:

  It is true that a "FactoryDispatcher"
  ("App.FactoryDispatcher.FactoryDispatcher") does not have security
  assertions. But usually, it does not have a "title_or_id"
  either. Therefore, it should not be relevant with respect to
  "title_or_id" access that it lacks security assertions.

  Maybe, it is a bug introduced with the security tighening introduced
  in Zope 2.7.3 (there was some discussion about such a bug in the
  mailing list (zope-dev, I think)).

  You can try to add a "__role__ = None" and maybe a
  "__allow_access_to_unprotected_subobjects__ = 1" to the
  "FactoryDispatcher" class (--> "App/FactoryDispatcher.py") to see
  whether the problem disappears.  These two attributes will provide
  security assertions for the factory.


  Your "header/manage_main" DTML Method seems a bit strange, too.  Why
  does it use a "dtml-in" and in it a "dtml-with" and in it access to
  "title_or_id". This is somewhat unexpected in the add form of a
  ZClass.


But there was no followup.  Before I start hacking
App/FactoryDispatcher.py, I wanted to check in here and see if there
was a resolution to this problem, if this is a known bug with a fix,
etc.

Thanks!
JDH

More information about the Zope mailing list