• Remember Mailing List

  • Workflow problem with SVN version and 'new_private' workflow

    from Jim Nelson on May 07, 2008 03:00 PM 
    After getting my remember-based product working, I realized that their data was being exposed to the world.  After 
adding a workflow to the product se to default to 'new_private', the user profile was hidden, but users could not set 
their own passwords.

I got the following error after turning on verbose security:

2008-05-07 13:23:46 ERROR Zope.SiteErrorLog http://aanamembertest.neteasyinc.com/pwreset_form
Traceback (innermost last):
   Module ZPublisher.Publish, line 119, in publish
   Module ZPublisher.mapply, line 88, in mapply
   Module ZPublisher.Publish, line 42, in call_object
   Module Products.CMFFormController.FSControllerPageTemplate, line 90, in __call__
   Module Products.CMFFormController.BaseControllerPageTemplate, line 28, in _call
   Module Products.CMFFormController.ControllerBase, line 231, in getNext
   Module Products.CMFFormController.Actions.TraverseTo, line 38, in __call__
   Module ZPublisher.mapply, line 88, in mapply
   Module ZPublisher.Publish, line 42, in call_object
   Module Products.CMFFormController.FSControllerPythonScript, line 104, in __call__
   Module Products.CMFFormController.Script, line 145, in __call__
   Module Products.CMFCore.FSPythonScript, line 140, in __call__
   Module Shared.DC.Scripts.Bindings, line 313, in __call__
   Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
   Module Products.CMFCore.FSPythonScript, line 196, in _exec
   Module None, line 6, in pwreset_action
    - <FSControllerPythonScript at /test/main/pwreset_action>
    - Line 6
   Module Products.PasswordResetTool.PasswordResetTool, line 151, in resetPassword
   Module Products.remember.content.member, line 325, in setMemberProperties
   Module Products.remember.content.member, line 321, in setProperties
   Module Products.remember.content.member, line 572, in update
   Module Products.remember.Extensions.workflow, line 23, in triggerAutomaticTransitions
   Module Products.CMFCore.ActionProviderBase, line 92, in listActionInfos
   Module Products.CMFPlone.PloneBaseTool, line 148, in _getExprContext
   Module Products.CMFPlone.PloneBaseTool, line 127, in getExprContext
   Module Products.CMFPlone.PloneBaseTool, line 79, in createExprContext
   Module OFS.Traversable, line 301, in restrictedTraverse
   Module OFS.Traversable, line 195, in unrestrictedTraverse
    - __traceback_info__: ([], '@@plone_portal_state')
   Module AccessControl.ImplPython, line 563, in validate
   Module AccessControl.ImplPython, line 461, in validate
   Module AccessControl.ImplPython, line 808, in raiseVerbose
Unauthorized: Your user account does not have the required permission.  Access to '@@plone_portal_state' of (AANAMember 
at /test/main/portal_memberdata/dirk used for /test/main/acl_users) denied. Your user account, Anonymous User, exists at 
/acl_users. Access requires one of the following roles: ['Manager', 'Owner']. Your roles in this context are ['Anonymous'].

Playing with one of the users and enabling the 'View' permission for 'Anonymous' allowed that specific user to set their 
password, but also made their profile visible.

What do I need to do to make this work?
    Thread Outline:

  • Re: Workflow problem with SVN version and 'new_private' workflow

    from ra on May 12, 2008 05:35 PM 
    Jim Nelson wrote:
> After getting my remember-based product working, I realized that their 
> data was being exposed to the world.  After adding a workflow to the 
> product se to default to 'new_private', the user profile was hidden, but 
> users could not set their own passwords.

okay, the problem was that Plone has introduced some new views 
(@@plone_portal_state and @@plone_context_state) which are used whenever a 
TALES expression context is generated.  these views are protected by the View 
permission.  normally this is fine, but remember has edge cases where 
anonymous users really are supposed to be allowed to effect changes to 
content, such as when you're using the password reset machinery.

i've just made a commit to the remember trunk (r64675) which should resolve 
this issue.  please svn up and try it out.

note that there's also a similar (but not identical, alas) error when you try 
to use the regular password reset machinery on a member in the private state. 
  this commit does not fix that problem... i'll have to deal with that separately.

-r


> 
> I got the following error after turning on verbose security:
> 
> 2008-05-07 13:23:46 ERROR Zope.SiteErrorLog 
> http://aanamembertest.neteasyinc.com/pwreset_form
> Traceback (innermost last):
>   Module ZPublisher.Publish, line 119, in publish
>   Module ZPublisher.mapply, line 88, in mapply
>   Module ZPublisher.Publish, line 42, in call_object
>   Module Products.CMFFormController.FSControllerPageTemplate, line 90, 
> in __call__
>   Module Products.CMFFormController.BaseControllerPageTemplate, line 28, 
> in _call
>   Module Products.CMFFormController.ControllerBase, line 231, in getNext
>   Module Products.CMFFormController.Actions.TraverseTo, line 38, in 
> __call__
>   Module ZPublisher.mapply, line 88, in mapply
>   Module ZPublisher.Publish, line 42, in call_object
>   Module Products.CMFFormController.FSControllerPythonScript, line 104, 
> in __call__
>   Module Products.CMFFormController.Script, line 145, in __call__
>   Module Products.CMFCore.FSPythonScript, line 140, in __call__
>   Module Shared.DC.Scripts.Bindings, line 313, in __call__
>   Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
>   Module Products.CMFCore.FSPythonScript, line 196, in _exec
>   Module None, line 6, in pwreset_action
>    - <FSControllerPythonScript at /test/main/pwreset_action>
>    - Line 6
>   Module Products.PasswordResetTool.PasswordResetTool, line 151, in 
> resetPassword
>   Module Products.remember.content.member, line 325, in setMemberProperties
>   Module Products.remember.content.member, line 321, in setProperties
>   Module Products.remember.content.member, line 572, in update
>   Module Products.remember.Extensions.workflow, line 23, in 
> triggerAutomaticTransitions
>   Module Products.CMFCore.ActionProviderBase, line 92, in listActionInfos
>   Module Products.CMFPlone.PloneBaseTool, line 148, in _getExprContext
>   Module Products.CMFPlone.PloneBaseTool, line 127, in getExprContext
>   Module Products.CMFPlone.PloneBaseTool, line 79, in createExprContext
>   Module OFS.Traversable, line 301, in restrictedTraverse
>   Module OFS.Traversable, line 195, in unrestrictedTraverse
>    - __traceback_info__: ([], '@@plone_portal_state')
>   Module AccessControl.ImplPython, line 563, in validate
>   Module AccessControl.ImplPython, line 461, in validate
>   Module AccessControl.ImplPython, line 808, in raiseVerbose
> Unauthorized: Your user account does not have the required permission.  
> Access to '@@plone_portal_state' of (AANAMember at 
> /test/main/portal_memberdata/dirk used for /test/main/acl_users) denied. 
> Your user account, Anonymous User, exists at /acl_users. Access requires 
> one of the following roles: ['Manager', 'Owner']. Your roles in this 
> context are ['Anonymous'].
> 
> Playing with one of the users and enabling the 'View' permission for 
> 'Anonymous' allowed that specific user to set their password, but also 
> made their profile visible.
> 
> What do I need to do to make this work?
> 
> 
> -- 
> Archive: 
> http://www.openplans.org/projects/remember/lists/remember/archive/2008/05/1210186811727 
> 
> To unsubscribe send an email with subject unsubscribe to 
> remember@....  Please contact 
> remember-manager@... for questions.
>
Return to conversation view