Zope CMF buildout

CookieCrumbler: unauth redirect broken

Bug #558340 reported by yuppie on 2010-04-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Zope CMF buildout	Confirmed	Medium	Unassigned

Bug Description

Expected behavior: If you try to view e.g. the reconfig_form without being logged in, you should be redirected to the login form specified in 'auto_login_page' of your CookieCrumbler instance.

This works e.g. with CMF 2.1 and Zope 2.10, but is broken with CMF trunk and Zope trunk.

Here is a summary of what I figured out so far:

In old Zope versions SimpleItem.Item.raise_standardErrorMessage did always raise an error. Now handle_errors is True by default and no error is raised. As a result the ZPublisher doesn't call the _unauthorized method. But CookieCrumbler currently uses _unauthorized as a hook for the unauth redirect.

I guess CookieCrumbler should hook in somewhere else.

Tags:

Revision history for this message

Charlie_X (charlie) wrote on 2010-04-08:

On Zope 2.12.4 + CMF 2.2 I get the following traceback:

2010-04-08 12:25:36 ERROR Zope.SiteErrorLog 1270722336.790.432640952318 http://localhost:11080/advitam/reconfig_form
Traceback (innermost last):
  Module ZPublisher.Publish, line 127, in publish
  Module ZPublisher.mapply, line 77, in mapply
  Module ZPublisher.Publish, line 47, in call_object
  Module Products.CMFCore.FSPythonScript, line 130, in __call__
  Module Shared.DC.Scripts.Bindings, line 324, in __call__
  Module Shared.DC.Scripts.Bindings, line 361, in _bindAndExec
  Module Products.PythonScripts.PythonScript, line 344, in _exec
  Module script, line 19, in reconfig_form
   - <FSPythonScript at /advitam/reconfig_form>
   - Line 19
  Module Products.CMFCore.ActionProviderBase, line 147, in getActionInfo
Unauthorized: You are not allowed to access any of the specified Actions.

The offending line is
target = atool.getActionInfo('global/configPortal')['url']

Accessing unpublished content, etc. for which the user doesn't have the View permission still redirects to the login_form. I'd rather have as much access controlled through permissions as possible.

Revision history for this message

yuppie (yuppie3) wrote on 2010-04-08:

You are right. Sometimes the redirect works. In a plain CMFDefault site with 'Sample CMFDefault Content' extension 'subfolder/binary_image.png' works, but not 'subfolder/binary_image.png/image_view'.

The CookieCrumbler overrides resp.unauthorized *and* resp._unauthorized. AFAICS the resp.unauthorized hook is still working. But it is only called if BaseRequest.traverse does the security check.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.