| *** niemeyer has quit IRC | 00:01 | |
| *** hazmat_ has joined #zope3-dev | 00:02 | |
| *** J1m has quit IRC | 00:05 | |
| *** hazmat has quit IRC | 00:12 | |
| *** bradb has quit IRC | 00:15 | |
| *** MiUlEr has quit IRC | 00:24 | |
| *** srichter has quit IRC | 00:41 | |
| *** C8E has joined #zope3-dev | 00:52 | |
| *** dman13 has joined #zope3-dev | 01:15 | |
| dman13 | anyone want to help me debug a strange Unauthorized error? I have a wiki in a site; users come from ldap. All users are granted all roles (including administrator) at the root of the site. All users are fine, except for one -- this one gets an Unauthorized error in the middle of zope.app.publication.browser.BrowserPublication.getDefaultTraversal() | 01:17 |
|---|---|---|
| projekt01 | dman13, what' the name of the user? | 01:22 |
| dman13 | projekt01: gwaffen | 01:22 |
| projekt01 | Hm, how is your setup with LDAP? | 01:22 |
| projekt01 | Ldappas? | 01:22 |
| projekt01 | You use the trunk? Or 3X | 01:22 |
| dman13 | projekt01: if I try using pdb.set_trace() in getDefaultTraversal, the problem object shows no attributes with dir(). | 01:22 |
| dman13 | projekt01: 3.0.0, using ldapauth | 01:23 |
| dman13 | projekt01: what I can't figure is why it works for all the other (4) users but not this one | 01:23 |
| projekt01 | What is the problem object? A PrincipalInformation instance? Or the object which you traverse? | 01:24 |
| dman13 | projekt01: the object being traversed: | 01:24 |
| dman13 | <zope.app.pagetemplate.simpleviewclass.SimpleViewClass from /srv/zope3/main/lib/python/zwiki/browser/wiki_toc.pt object at 0x4405e5ec> | 01:24 |
| projekt01 | Is the wiki at all not accessible for this user? | 01:25 |
| projekt01 | Or just this view | 01:25 |
| dman13 | nothing that I have tried is accessible by this user | 01:25 |
| dman13 | I should mention that the CSS resource is accessible | 01:26 |
| C8E | dman13: kill that user ;) | 01:26 |
| dman13 | heh | 01:26 |
| dman13 | it's my boss, actually | 01:26 |
| projekt01 | Ok, please add a simple file and try to access this file, then we are sure that's no the wiki which makes problem | 01:26 |
| C8E | sh*t | 01:26 |
| projekt01 | NO, wait with killing | 01:26 |
| C8E | err, don't kill it | 01:26 |
| projekt01 | I also think it's the user which is bad but this user gets created each time you login | 01:27 |
| projekt01 | Did you try to login again in a fresh browser? Did you have the same situation? | 01:28 |
| dman13 | projekt01: yeah, this started a few days ago (well, that was the first time he tried to use the wiki) and just today I started to investigate it. Different computers, different browser processes and different browsers (win32 firefox vs. linux galeon) | 01:29 |
| dman13 | also, as projekt01 said, the user is pulled from ldap each time, so there is nothing in the zodb to delete (other than permission grants) | 01:29 |
| projekt01 | Did you try to add and access a file next to the wiki? | 01:29 |
| dman13 | so, I created the File object | 01:29 |
| *** bskahan has joined #zope3-dev | 01:30 | |
| dman13 | (interesting, the Data field of the add form doesn't work) | 01:30 |
| projekt01 | Hm, I think we added a cache for users? | 01:30 |
| dman13 | the user can view it http://.../hello-world.txt, but can't preview it hello-world.txt/@@preview.html | 01:30 |
| dman13 | projekt01: that isn't persistent across server restarts, is it? | 01:30 |
| dman13 | projekt01: I restarted the server several time as I added debug 'prints' | 01:31 |
| dman13 | btw, I put that File in the root of the zope system, so no folders or any other objects in the way | 01:31 |
| projekt01 | No over server restarts the principal will be read form the LDAP again | 01:32 |
| projekt01 | But in a browser session it should be cached. | 01:32 |
| dman13 | ok | 01:33 |
| projekt01 | Your question about accessing only the hello-world view, | 01:33 |
| projekt01 | This is because you only have "Authenticated" principal, I think. | 01:33 |
| projekt01 | Can you go to the Error view | 01:34 |
| projekt01 | Go to settings at the error view and lear the textarea and save it. | 01:34 |
| projekt01 | Lear/clear | 01:34 |
| projekt01 | Then try again | 01:35 |
| dman13 | projekt01: it -should- have all roles including administrator | 01:35 |
| dman13 | ok | 01:35 |
| dman13 | projekt01: ignored exception types? that field is empty | 01:35 |
| projekt01 | This should handle Unauthorized errors as errors, then you get a better Traceback | 01:35 |
| projekt01 | Yup | 01:35 |
| dman13 | yeah, I get those errors logged, but it doesn't tell me -why- the user is unauthorized. It does show the permission needed, but I don't see any mention of roles at all | 01:36 |
| dman13 | is there some bit I can send you that would help? | 01:36 |
| projekt01 | On the top of this view is information about the principal. What principal is reported? | 01:37 |
| dman13 | User | 01:37 |
| dman13 | gwaffen, AuthenticationService-2115014379-1108163252 ldap gwaffen, gwaffen | 01:37 |
| projekt01 | Could be | 01:37 |
| dman13 | interesting -- the User line ends with ',' | 01:37 |
| dman13 | maybe the roles are supposed to be listed there? | 01:37 |
| projekt01 | Ok, you use a user called gwaffen | 01:37 |
| projekt01 | No roles | 01:38 |
| projekt01 | listed | 01:38 |
| projekt01 | Right ow it looks that gwaffen doesn't have the permission | 01:38 |
| projekt01 | Ow/now | 01:38 |
| projekt01 | Can you try to add the ManageContent permission to gwaffen at the file where we added before? | 01:39 |
| projekt01 | Important, delete all roles where you grantet to gwaffen on this file. Or better use the folder above for granting. | 01:39 |
| projekt01 | Yeah, us the folder above the file for granting, and clean all grants to gwaffen at the file | 01:40 |
| projekt01 | Then try to access the file again | 01:40 |
| dman13 | by "clean" do you mean to select "Unset" or "Deny"? | 01:41 |
| projekt01 | Unset | 01:41 |
| dman13 | ok | 01:41 |
| dman13 | ok, I made all his grants "Unset" on both the file and the folder above it (which is "/") | 01:42 |
| dman13 | and I get the same error | 01:43 |
| dman13 | that, I think, is expected and normal | 01:43 |
| projekt01 | I guess do you don't use a sub site | 01:43 |
| dman13 | no, just the one default site | 01:44 |
| projekt01 | You added the auth utility in ++etc++site/default | 01:44 |
| dman13 | I haven't learned how to manage sub sites yet | 01:44 |
| dman13 | yes | 01:44 |
| projekt01 | Hm, let me think.... | 01:44 |
| dman13 | (this wiki is currently the only thing in this zope instance at this time) | 01:44 |
| projekt01 | And the file | 01:44 |
| * C8E thinks that roger is a really great tutor | 01:45 | |
| dman13 | yeah, but the file is not real data :-) | 01:45 |
| projekt01 | Hm, you are logged in as gwaffen. We see this in the error log....hm.... | 01:45 |
| * dman13 was wondering who projekt01 was :-) | 01:45 | |
| projekt01 | You mean where I am? | 01:46 |
| dman13 | no, who | 01:46 |
| dman13 | I was not familiar with your IRC nick | 01:46 |
| projekt01 | Ah, I'm Roger Ineichen | 01:46 |
| C8E | but you should be w/his domain in zope-dev ML, derrik | 01:47 |
| dman13 | right. C8E gave that away when he said "Roger" | 01:47 |
| dman13 | yep | 01:47 |
| dman13 | oh, no, not the domain, just the real name | 01:47 |
| projekt01 | I really think there is not enough permission on the object. | 01:48 |
| projekt01 | Do you have access to the LDAP server? | 01:49 |
| dman13 | yes | 01:49 |
| projekt01 | Is it possible to recreate the user on the LDAP. | 01:50 |
| projekt01 | But I'm pretty sure this will not solve the problem. | 01:50 |
| dman13 | I suppose so. I would have to preserve all the data (ie imp/horde settings) and I'd have to stop the mail server so it doesn't create bounces due to no-such-user | 01:50 |
| projekt01 | No, don't do this | 01:51 |
| dman13 | I did try the 'Sync' view/action on the ldap auth service; but it didn't fix anything | 01:51 |
| projekt01 | We are logged in as gwaffen | 01:51 |
| dman13 | yes | 01:51 |
| projekt01 | We just don't have enough permissions | 01:51 |
| dman13 | it accepts the name+passwd pair | 01:51 |
| dman13 | yeah | 01:51 |
| dman13 | I don't know where to begin digging, other than re-checking the grant view | 01:52 |
| projekt01 | What role do you use for gwaffen or other principals? | 01:52 |
| dman13 | Site Manager | 01:52 |
| projekt01 | Where did you add the roles? local or in the principal.zcml file? | 01:53 |
| dman13 | I know it isn't good in terms of "security", but it is simple in terms of getting a wiki running for a dev group of 5 people | 01:53 |
| dman13 | they are already defined in zcml | 01:53 |
| projekt01 | Ah, of corse | 01:54 |
| projekt01 | Can you add a principal gwaffen in the principal.zcml and try again? | 01:54 |
| *** alga has quit IRC | 01:54 | |
| dman13 | before I test that -- | 01:56 |
| dman13 | I took my account ('dman') and Unset the SiteManager role at the root | 01:57 |
| dman13 | and then added Site Member on the hello-world file directly | 01:57 |
| dman13 | and I had the same problem -- unauthorized and no roles listed in the error log | 01:57 |
| dman13 | then I added SiteManager to 'dman' on the File and it works | 01:57 |
| dman13 | now I'll see what happens with gwaffen in principals.zcml | 01:58 |
| dman13 | ok, putting the <principal> and the <grant> in zcml works | 01:59 |
| dman13 | now I'm taking the <grant> out but leaving the <principal> in | 01:59 |
| *** bskahan has quit IRC | 01:59 | |
| projekt01 | Ok, then the authentication can lookup the right role | 02:00 |
| projekt01 | Seems that the authentication utility can't lookup the right role. | 02:00 |
| dman13 | principal in zcml, grant in zodb -- fails | 02:00 |
| projekt01 | What do you mean with grant in zodb fails? | 02:01 |
| dman13 | on the @@PrincipalRoles.html view on the root folder I set gwaffen to 'Allow' for SiteManager | 02:01 |
| dman13 | the same setting I had in the <grant> tag in ZCML | 02:02 |
| dman13 | do you think it might make the anomaly disappear if I delete and recreate the ldapauth utility? | 02:02 |
| projekt01 | Hm, could be. | 02:03 |
| projekt01 | If so, then the cache in the LDAP could be the problem | 02:05 |
| projekt01 | LDAP = LDAP utility | 02:05 |
| dman13 | I'll save the database before I do that so a post-mortem will be possible | 02:06 |
| projekt01 | Ok | 02:06 |
| dman13 | =p | 02:10 |
| dman13 | no joy | 02:10 |
| dman13 | I deactivated the AuthenticationService and created a new one with a different name. | 02:11 |
| dman13 | Configured that with an ldap source. | 02:11 |
| dman13 | The users are found, and the grant page shows everything as 'Unset' | 02:11 |
| dman13 | (so far so good) | 02:11 |
| dman13 | Both myself and gwaffen are unauthorized. | 02:11 |
| dman13 | So I set SiteManager to 'Allow' for both of us, | 02:12 |
| dman13 | and it works for me but not gwaffen | 02:12 |
| projekt01 | Hm, that's really wired | 02:12 |
| dman13 | yeah. | 02:12 |
| dman13 | what would be an easy way to see all of the roles a user has, without getting an unauthorized error? | 02:13 |
| dman13 | (ie what method to call in the code with a 'print' statement?) | 02:13 |
| projekt01 | Let's call gwaffen as a forbidden name for LDAP ;-) | 02:13 |
| projekt01 | I'm looking for it.... | 02:13 |
| dman13 | haha | 02:13 |
| dman13 | :-) | 02:13 |
| C8E | it's obvious. who do not forbid his own boss? ;) | 02:13 |
| *** FarcePest has quit IRC | 02:15 | |
| C8E | waffen-ss, waffenss | 02:15 |
| C8E | are forbidden | 02:15 |
| projekt01 | Take a look at zope.app.securitypolicy.zopepolicy there you can see methods like globalRolesForPrincipal or globalPrincipalPermissionSetting | 02:16 |
| projekt01 | But I work with the trunk, I hope there are not to many changes since 3.0 | 02:17 |
| dman13 | hrm | 02:25 |
| dman13 | I get the empty list for both principals | 02:25 |
| dman13 | from zope.app.securitypolicy.principalrole import principalRoleManager | 02:25 |
| dman13 | try : | 02:25 |
| dman13 | login = request.principal.getLogin() | 02:25 |
| dman13 | except : | 02:25 |
| dman13 | login = "anonymous" | 02:25 |
| dman13 | print login, repr( | 02:25 |
| dman13 | principalRoleManager.getRolesForPrincipal(request.principal) | 02:25 |
| dman13 | ) | 02:25 |
| dman13 | unless there is something wrong with my code there | 02:26 |
| dman13 | or maybe it's because they are "local" roles (local to the root folder) | 02:26 |
| projekt01 | The roles should be listed | 02:27 |
| dman13 | that code, where I put it, gives me this output: | 02:27 |
| dman13 | gwaffen [] | 02:27 |
| dman13 | dman [] | 02:27 |
| C8E | derrik, have you tried a third working user? | 02:28 |
| dman13 | no, I haven't | 02:28 |
| dman13 | ok, now I tried with the 'admin' user configured in principals.zcml. I get the same result. | 02:30 |
| projekt01 | Argh, I don't like the code in securitypolicy I everytime don't know if principal means principal ID. | 02:30 |
| dman13 | I guess I can find out | 02:31 |
| projekt01 | Try the principal and not principal id | 02:31 |
| projekt01 | Sorry, try the principal id | 02:31 |
| projekt01 | Instead of the principal | 02:31 |
| projekt01 | In getRolesForPrincipal | 02:32 |
| dman13 | that is better, but still not quite right: | 02:32 |
| dman13 | admin [('zope.Manager', <zope.app.security.settings.PermissionSetting object at 0x40c629cc>)] | 02:32 |
| dman13 | dman [] | 02:32 |
| dman13 | gwaffen [] | 02:32 |
| dman13 | the first is in principals.zcml and the latter two are in ldap | 02:33 |
| dman13 | thanks for your time and help on this! I'm going to go home now before the sun completely sets. | 02:33 |
| dman13 | At least I have a workaround, and I will have to keep searching later. | 02:33 |
| projekt01 | Ok, tell me what's happen if you solved the problem ;-) | 02:34 |
| C8E | what time is it in dman13land? ;) | 02:35 |
| dman13 | 7:35pm | 02:35 |
| C8E | here's 1:37 nite -_- | 02:35 |
| projekt01 | C8E, are you form germany? | 02:35 |
| C8E | ehm roger, are you in swiss? | 02:35 |
| projekt01 | Yup | 02:35 |
| C8E | nope, italy | 02:36 |
| projekt01 | Ah, what your name? | 02:36 |
| C8E | i remember dev@projekt01.ch | 02:36 |
| C8E | carlo, nice 2 meet u | 02:36 |
| projekt01 | Yup | 02:36 |
| *** dman13 has quit IRC | 02:36 | |
| projekt01 | C8E, are you not in Rom today? | 02:37 |
| C8E | nope roger | 02:37 |
| C8E | i'm buddhist ;) | 02:37 |
| projekt01 | Ah, ok, I just belive in god but not the curch ;-) | 02:38 |
| C8E | but your zope zen is strenght :) | 02:39 |
| projekt01 | I hope so, we develop since 2 1/2 years with zope3 | 02:39 |
| projekt01 | We built a framework on it, where we will release this year. | 02:40 |
| projekt01 | Btw, thanks | 02:40 |
| C8E | ' know, i know... | 02:41 |
| C8E | i'm lurking z3-d ml from near the start | 02:41 |
| projekt01 | Really, whow, I think there are many. Right? | 02:42 |
| C8E | i'm sure so | 02:43 |
| projekt01 | Do plan to work with z3? | 02:43 |
| C8E | but is really really hard to grok | 02:44 |
| projekt01 | The mails or zope3? | 02:44 |
| C8E | i hope so, yes. bot i've got to found the right project | 02:44 |
| C8E | nope, z3 as a whole | 02:44 |
| projekt01 | You like to use z3 for projects in your company or by yourself? | 02:45 |
| C8E | for the clients of my company | 02:45 |
| projekt01 | Cool | 02:45 |
| C8E | but an internal prj should be safer, for the first time... i'll se | 02:46 |
| C8E | for now, i try to leard by assimilating your mail.. ;) | 02:46 |
| C8E | ^leard^learn | 02:46 |
| projekt01 | Of corse, just calculate some time to find out how it works | 02:46 |
| C8E | the strange thing is that | 02:47 |
| C8E | twisted, 4 example,is initially possibly harder than z3 | 02:48 |
| C8E | but as you grokit (after months, of course ;) you went very fluent with it | 02:48 |
| C8E | i dunno, but i can't get the same "fluence" w/z3 | 02:49 |
| projekt01 | I think twisted is a great framework developed in python | 02:50 |
| projekt01 | It uses not this much conceptual stuff like z3. | 02:50 |
| projekt01 | Z3 is more a philosophy change with it's components | 02:51 |
| projekt01 | That's much harder if you think object oriented. | 02:51 |
| projekt01 | You have learn thinking in components now. | 02:52 |
| C8E | yup, maybe you're right :| | 02:54 |
| projekt01 | Adapters and utilities are all what you need. It's so easy. I never would work with another framework then z3 since this less components can do so many things. | 02:54 |
| C8E | imho z3 laks a bit in "quick&dirty develop", useful to work out ideas... | 02:56 |
| C8E | ie, like moshe's twisted finger tutorial, if u understand what i mean | 02:56 |
| projekt01 | You mean prototyping or thru the web (TTW) development? | 02:57 |
| C8E | no, just sketch out some ideas without constructing the whole thing in the proper way | 02:57 |
| projekt01 | Ok, I see | 02:58 |
| C8E | it's a little bit big infrastructure, in order to prototypate | 02:58 |
| projekt01 | We use a file based development right now, this is not this fast but you can easy debug and test. | 02:59 |
| C8E | maybe the z way is to solve that w/ ttw | 02:59 |
| C8E | and you never feel frustrated, when you want to quickly got a proto to valuare potential dark corner ? | 03:00 |
| C8E | ^valutare^valutate | 03:01 |
| projekt01 | I think so, but we like to have TTW and generate python classes at the end. Then you could use the TTW generated classes and develop file based on this classes. | 03:01 |
| projekt01 | ;-) | 03:01 |
| projekt01 | That's the vision....for the next years. | 03:01 |
| C8E | i'm absolutly sure this is the way | 03:01 |
| C8E | zclasses was too opaque | 03:02 |
| projekt01 | I think there is also a way where we can draw some UML and generate python classes. | 03:03 |
| projekt01 | File based development, UML and TTW should support roundtrip ;-) | 03:04 |
| C8E | i home also ther will be some zcml editors, i find it a little obscure o_O | 03:04 |
| projekt01 | ...and offer the right attributes...during editing ;-) | 03:05 |
| projekt01 | You can use apidoc, which is a great source for this info right now. | 03:06 |
| C8E | yup. it's a big richter's work :D | 03:08 |
| *** hazmat__ has joined #zope3-dev | 03:32 | |
| *** hazmat_ has quit IRC | 03:40 | |
| *** RaFromBRC is now known as RaFromBRC|out | 04:13 | |
| C8E | i go sleep(28800); nite | 04:22 |
| *** C8E has left #zope3-dev | 04:23 | |
| *** projekt01 has left #zope3-dev | 04:28 | |
| *** RaFromBRC|out has quit IRC | 04:36 | |
| *** hazmat__ has quit IRC | 06:12 | |
| *** hazmat has joined #zope3-dev | 06:30 | |
| *** hazmat has quit IRC | 07:09 | |
| *** bradb has joined #zope3-dev | 07:26 | |
| *** MiUlEr has joined #zope3-dev | 08:24 | |
| *** MiUlEr has quit IRC | 09:37 | |
| *** nimfa has joined #zope3-dev | 10:15 | |
| *** projekt01 has joined #zope3-dev | 11:01 | |
| *** nimfa is now known as Aiste | 11:29 | |
| *** Aiste has quit IRC | 11:56 | |
| *** Aiste has joined #zope3-dev | 12:49 | |
| *** zagy_ has joined #zope3-dev | 13:51 | |
| *** zagy has quit IRC | 13:51 | |
| *** Aiste has quit IRC | 13:56 | |
| *** Aiste has joined #zope3-dev | 14:13 | |
| *** Theuni has joined #zope3-dev | 14:50 | |
| *** J1m has joined #zope3-dev | 14:55 | |
| VladDrac | hey j1m | 14:55 |
| J1m | hi | 14:56 |
| VladDrac | did you get your cmfformcontroller question answered? | 14:56 |
| * VladDrac was gone - didn't see your question | 14:56 | |
| J1m | Not really | 14:56 |
| J1m | I think I'm past that now anyway. | 14:56 |
| VladDrac | ok | 14:56 |
| *** Aiste has quit IRC | 15:09 | |
| *** Theuni has quit IRC | 15:10 | |
| *** zagy_ is now known as z|a | 15:12 | |
| *** J1m has quit IRC | 15:34 | |
| *** Theuni has joined #zope3-dev | 15:41 | |
| *** srichter has joined #zope3-dev | 15:43 | |
| *** ChanServ sets mode: +o srichter | 15:43 | |
| *** Theuni has quit IRC | 16:30 | |
| *** admp has joined #zope3-dev | 17:24 | |
| *** admp has quit IRC | 17:34 | |
| *** admp has joined #zope3-dev | 17:38 | |
| *** MiUlEr has joined #zope3-dev | 18:03 | |
| *** niemeyer has joined #zope3-dev | 19:11 | |
| *** niemeyer is now known as nie_out | 19:51 | |
| *** nie_out is now known as niemeyer | 20:21 | |
| *** admp has quit IRC | 20:28 | |
| *** admp has joined #zope3-dev | 20:29 | |
| *** efge has joined #zope3-dev | 20:37 | |
| *** admp has quit IRC | 20:40 | |
| *** BjornT has quit IRC | 20:45 | |
| *** admp has joined #zope3-dev | 21:00 | |
| *** admp has quit IRC | 21:10 | |
| *** MiUlEr has quit IRC | 21:12 | |
| *** MiUlEr has joined #zope3-dev | 21:13 | |
| *** z|a has quit IRC | 21:14 | |
| *** zagy has joined #zope3-dev | 21:17 | |
| *** BjornT has joined #zope3-dev | 21:41 | |
| *** efge has quit IRC | 21:44 | |
| *** tvon has joined #zope3-dev | 21:58 | |
| *** admp has joined #zope3-dev | 22:11 | |
| *** MiUlEr has quit IRC | 22:39 | |
| *** MiUlEr has joined #zope3-dev | 22:44 | |
| *** SteveA_ has quit IRC | 22:46 | |
| *** efge has joined #zope3-dev | 22:46 | |
| *** efge has quit IRC | 22:48 | |
| *** SteveA has joined #zope3-dev | 22:49 | |
| *** efge has joined #zope3-dev | 22:56 | |
| *** efge has joined #zope3-dev | 22:57 | |
| *** tvon has quit IRC | 23:01 | |
| *** bradb has quit IRC | 23:11 | |
| *** C81 has joined #zope3-dev | 23:30 | |
| C81 | hi | 23:30 |
| *** C81 is now known as C8N | 23:31 | |
Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!