[Zope] Security exception after going from 2.6.2 -> 2.7.3

Dieter Maurer dieter at handshake.de
Mon Mar 7 14:06:38 EST 2005


Jean Jordaan wrote at 2005-3-7 16:36 +0200:
>Hmf, neither 2.7.5b1 nor zope.org/Zope.Zope-2_7-branch cures the
>IISet hassle. The traceback is the same as in my original posting.
>
>Looks like I need to move that code out of restricted python.
>
>Elsewhere I also see this:
>
>Unauthorized: Your user account, jean, is defined outside the context of 
>the object being accessed. Access to 'id' of (Reseller instance at 
>414925c0) denied. Access requires one of the following roles: 
>['Administrator', 'Manager', 'Supporter'].
>
>The fix for that is to s/id/getId()/

I hope, this does not work (it should not!).

"s/id" may be unauthorized (because it is protected
by the "ObjectPermission") while
"s/getId" may be authorized (because it "getId" can carry
its own permission -- different from the "ObjectPermission).

But it "s/id" is unauthorized, then "s/id/getId" should be as well
(and "s/id/getId()" should be a syntax error -- be more careful in
the future!).

-- 
Dieter


More information about the Zope mailing list