Ticket #1772 (new defect)

Opened 3 years ago

Last modified 3 years ago

Navigation Tree causes Unauthorized when there is no Anonymous access in root folder

Reported by: scamps Assigned to: jmorliaguet
Priority: P2 Milestone: CPS 3.5.0
Component: CPSPortlets Version: TRUNK
Severity: normal Keywords:
Cc: tziade@nuxeo.com

Description

The Navigation Tree Portlet causes a "Unauthorized" error when the Anonymous access has been removed from the root folder of the Zope instance The verbose security message is very strange:

"Unauthorized: Your user account does not have the required permission. Access to None of None denied"

I've found the problem in browser.treenodeview.py, when trying a restricted traverse using an absolute path (/cps/workspaces). I think the patch I attach, converting this absolute path to a relative path (cps/workspaces), is a good solution. If you agree, I can commit it to trunk.

Attachments

CPSPortlets_treenodeview.patch (0.8 kB) - added by scamps on 11/07/06 18:56:19.

Change History

10/27/06 16:53:43 changed by gracinet

  • cc set to tziade@nuxeo.com.

Your solution has the effect of relying on acquisition. It wouldn't work if, e.g, there is a folder upstairs whose id is 'cps'. Another solution might be to use unrestrictedTraverse() here, since security checks are probably done already. Furthermore, I wonder what happens if the user hasn't access to said root. I filled a ticket about some strange behaviors of this portlet, that could be related.

11/07/06 18:56:19 changed by scamps

  • attachment CPSPortlets_treenodeview.patch added.

11/07/06 19:00:02 changed by scamps

Yes, you are completly right. What about this new version of the patch ? Could have the same acquisition problem if the portal is inside a tree of folders, but this is strange, and I think it's better than rely on security configuration of objects outside the CPS portal object (in that case, the root folder).