Ticket #3410 (closed Bug: fixed)

Opened 7 years ago

Last modified 3 years ago

revoking 'Set own properties' permission - can't view 'my preferences'

Reported by: Anonymous User Owned by:
Priority: minor Milestone: 2.1
Component: Infrastructure Version:
Severity: Keywords:
Cc:

Description

I don't want Members to be able to edit their own properties, but I do want them to be able to change their password. Revoking 'Set own properties' permission results in an Unauthorized exception when trying to view plone_memberprefs_panel.

The intent, of course, is to show the memberprefs panel, but only show the change password configlet. I need to be able to revoke 'Set own properties' becuase the 'setProperties' method of the MemberData class is protected by that permission.

User Name (User Id) marky (marky) Request URL  http://server2:8080/misc/doczone/plone_memberprefs_panel Exception Type Unauthorized Exception Value You are not allowed to access 'enumConfiglets' in this context

Traceback (innermost last):

  • Module ZPublisher.Publish, line 101, in publish
    • Module ZPublisher.mapply, line 88, in mapply
    • Module ZPublisher.Publish, line 39, in call_object
    • Module Shared.DC.Scripts.Bindings, line 306, in call
    • Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec
    • Module Products.PageTemplates.ZopePageTemplate, line 222, in _exec
    • Module Products.PageTemplates.PageTemplate, line 96, in pt_render <ZopePageTemplate at /misc/doczone/plone_memberprefs_panel>
    • Module TAL.TALInterpreter, line 189, in call
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 663, in do_useMacro
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 408, in do_optTag_tal
    • Module TAL.TALInterpreter, line 393, in do_optTag
    • Module TAL.TALInterpreter, line 388, in no_tag
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 663, in do_useMacro
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 408, in do_optTag_tal
    • Module TAL.TALInterpreter, line 393, in do_optTag
    • Module TAL.TALInterpreter, line 388, in no_tag
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 694, in do_defineSlot
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 629, in do_condition
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 686, in do_defineSlot
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 408, in do_optTag_tal
    • Module TAL.TALInterpreter, line 393, in do_optTag
    • Module TAL.TALInterpreter, line 388, in no_tag
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 663, in do_useMacro
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 408, in do_optTag_tal
    • Module TAL.TALInterpreter, line 393, in do_optTag
    • Module TAL.TALInterpreter, line 388, in no_tag
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 605, in do_loop_tal
    • Module TAL.TALInterpreter, line 233, in interpret
    • Module TAL.TALInterpreter, line 459, in do_setLocal_tal
    • Module Products.PageTemplates.TALES, line 221, in evaluate URL: plone_memberprefs_panel Line 24, Column 16 Expression: <PythonExpr controlPanel.enumConfiglets(group=groupid?)> Names:

{'container': <PloneSite instance at 41235bf0>,

'context': <PloneSite instance at 41235bf0>, 'default': <Products.PageTemplates.TALES.Default instance at 0x40b3bfac>, 'here': <PloneSite instance at 41235bf0>, 'loop': <SafeMapping instance at 4320cce0>, 'modules': <Products.PageTemplates.ZRPythonExpr._SecureModuleImporter instance at 0x40b40c2c>, 'nothing': None, 'options': {'args': ()}, 'repeat': <SafeMapping instance at 4320cce0>, 'request': <HTTPRequest, URL= http://server2:8080/misc/doczone/plone_memberprefs_panel>, 'root': <Application instance at 41588ef0>, 'template': <ZopePageTemplate at /misc/doczone/plone_memberprefs_panel>, 'traverse_subpath': [], 'user': marky}

traceback_info: controlPanel.enumConfiglets(group=groupid?)

  • Module Python expression "controlPanel.enumConfiglets(group=groupid?)", line 1, in <expression>

Unauthorized: You are not allowed to access 'enumConfiglets' in this context

Change History

comment:1 Changed 7 years ago by limi

Sounds like a valid use case, scheduling for 2.1

comment:2 Changed 7 years ago by davismr

We also have the same use case.

The problem is in the enumConfiglets method in PloneControlPanel which is called from the portlet_prefs. Could this not be made public rather than declareProtected, as each configlet handles it's own security.

comment:3 Changed 7 years ago by alecm

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in 2.1 svn

comment:4 Changed 3 years ago by hannosch

  • Component changed from Permissions to Infrastructure
Note: See TracTickets for help on using tickets.