Zope 2

Inheritance of Folder Permissions (set in ZMI)

Bug #546615 reported by Vladislav Vorobiev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Invalid
Undecided
Unassigned

Bug Description

Zope2 2.12.3

if you specify permissions on folder for example:

view only for manager

folder 1 - permission view all
--index_html - calls xyz
--xyz script

--folder 2 - permission view manager
----xyz script

Error Type: Unauthorized
Error Value: You are not allowed to access 'xyz' in this context

in all preview versions you got an login form.

Revision history for this message
Tres Seaver (tseaver) wrote : Re: [zope2-tracker] [Bug 546615] [NEW] Inheritance of Folder Permissions (set in ZMI)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vladislav Vorobiev wrote:
> Public bug reported:
>
> Zope2 2.12.3
>
> if you specify permissions on folder for example:
>
> view only for manager
>
> folder 1 - permission view all
> --index_html - calls xyz
> --xyz script
>
> --folder 2 - permission view manager
> ----xyz script
>
> Error Type: Unauthorized
> Error Value: You are not allowed to access 'xyz' in this context
>
> in all preview versions you got an login form.

 status confirmed

After constructing a similar folder structure in a new empty instance,
and granting 'View' on the 'protected' subfolder only to 'Manager' (no
acquisition), I was able to see the error page as described here when
visiting the protected folder. Looking at the headers with 'wget' shows:

- --------------------- %< --------------------------------
$ wget -O - -S http://localhost:8080/lp546615/protected
- --2010-03-25 07:19:38-- http://localhost:8080/lp546615/protected
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 401 Unauthorized
  Server: Zope/(2.12.3, python 2.6.4, linux2) ZServer/1.1
  Date: Thu, 25 Mar 2010 11:19:38 GMT
  Content-Length: 911
  Content-Type: text/html; charset=iso-8859-15
  Connection: Keep-Alive
Authorization failed.
$ wget -O - -S http://localhost:8080/manage
- --2010-03-25 07:20:03-- http://localhost:8080/manage
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 401 Unauthorized
  Server: Zope/(2.12.3, python 2.6.4, linux2) ZServer/1.1
  Date: Thu, 25 Mar 2010 11:20:03 GMT
  Connection: Keep-Alive
  Content-Length: 187
  Content-Type: text/html; charset=iso-8859-15
  WWW-Authenticate: basic realm="Zope"
Authorization failed.
- --------------------- %< --------------------------------

Which indicates that the 'WWW-Authenticate' challenge header is not
being added to the request for the protected subfolder as it should be.

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkurSAwACgkQ+gerLs4ltQ4MsACfYzLcl0UIjBrTCACCfbqW3As7
m/kAnRbG2MKMpX1FQB1XtT63xQTdKrTt
=3NgY
-----END PGP SIGNATURE-----

Changed in zope2:
status: New → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.

Changed in zope2:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.