Inheritance of Folder Permissions (set in ZMI)
Bug #546615 reported by
Vladislav Vorobiev
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Zope2 2.12.3
if you specify permissions on folder for example:
view only for manager
folder 1 - permission view all
--index_html - calls xyz
--xyz script
--folder 2 - permission view manager
----xyz script
Error Type: Unauthorized
Error Value: You are not allowed to access 'xyz' in this context
in all preview versions you got an login form.
To post a comment you must log in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vladislav Vorobiev wrote:
> Public bug reported:
>
> Zope2 2.12.3
>
> if you specify permissions on folder for example:
>
> view only for manager
>
> folder 1 - permission view all
> --index_html - calls xyz
> --xyz script
>
> --folder 2 - permission view manager
> ----xyz script
>
> Error Type: Unauthorized
> Error Value: You are not allowed to access 'xyz' in this context
>
> in all preview versions you got an login form.
status confirmed
After constructing a similar folder structure in a new empty instance,
and granting 'View' on the 'protected' subfolder only to 'Manager' (no
acquisition), I was able to see the error page as described here when
visiting the protected folder. Looking at the headers with 'wget' shows:
- ------- ------- ------- %< ------- ------- ------- ------- ---- localhost: 8080/lp546615/ protected localhost: 8080/lp546615/ protected 127.0.0. 1|:8080. .. connected. localhost: 8080/manage localhost: 8080/manage 127.0.0. 1|:8080. .. connected. ------- ------- %< ------- ------- ------- ------- ----
$ wget -O - -S http://
- --2010-03-25 07:19:38-- http://
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|
HTTP request sent, awaiting response...
HTTP/1.0 401 Unauthorized
Server: Zope/(2.12.3, python 2.6.4, linux2) ZServer/1.1
Date: Thu, 25 Mar 2010 11:19:38 GMT
Content-Length: 911
Content-Type: text/html; charset=iso-8859-15
Connection: Keep-Alive
Authorization failed.
$ wget -O - -S http://
- --2010-03-25 07:20:03-- http://
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|
HTTP request sent, awaiting response...
HTTP/1.0 401 Unauthorized
Server: Zope/(2.12.3, python 2.6.4, linux2) ZServer/1.1
Date: Thu, 25 Mar 2010 11:20:03 GMT
Connection: Keep-Alive
Content-Length: 187
Content-Type: text/html; charset=iso-8859-15
WWW-Authenticate: basic realm="Zope"
Authorization failed.
- -------
Which indicates that the 'WWW-Authenticate' challenge header is not
being added to the request for the protected subfolder as it should be.
Tres. ======= ======= ======= ======= ======= ======= ======= ======= ==== palladion. com enigmail. mozdev. org
- --
=======
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAku rSAwACgkQ+ gerLs4ltQ4MsACf YzLcl0UIjBrTCAC CfbqW3As7 FQB1XtT63xQTdKr Tt
m/kAnRbG2MKMpX1
=3NgY
-----END PGP SIGNATURE-----