Ticket #1772 (new defect)

Opened 13 years ago

Last modified 13 years ago

Navigation Tree causes Unauthorized when there is no Anonymous access in root folder

Reported by: scamps Owned by: jmorliaguet
Priority: P2 Milestone: CPS 3.5.7
Component: CPSPortlets Version: TRUNK
Severity: normal Keywords:
Cc: tziade@…


The Navigation Tree Portlet causes a "Unauthorized" error when the Anonymous access has been removed from the root folder of the Zope instance The verbose security message is very strange:

"Unauthorized: Your user account does not have the required permission. Access to None of None denied"

I've found the problem in browser.treenodeview.py, when trying a restricted traverse using an absolute path (/cps/workspaces). I think the patch I attach, converting this absolute path to a relative path (cps/workspaces), is a good solution. If you agree, I can commit it to trunk.


CPSPortlets_treenodeview.patch Download (775 bytes) - added by scamps 13 years ago.

Change History

comment:1 Changed 13 years ago by gracinet

  • Cc tziade@… added

Your solution has the effect of relying on acquisition. It wouldn't work if, e.g, there is a folder upstairs whose id is 'cps'. Another solution might be to use unrestrictedTraverse() here, since security checks are probably done already. Furthermore, I wonder what happens if the user hasn't access to said root. I filled a ticket about some strange behaviors of this portlet, that could be related.

Changed 13 years ago by scamps

comment:2 Changed 13 years ago by scamps

Yes, you are completly right. What about this new version of the patch ? Could have the same acquisition problem if the portal is inside a tree of folders, but this is strange, and I think it's better than rely on security configuration of objects outside the CPS portal object (in that case, the root folder).

Note: See TracTickets for help on using tickets.