I came across this again and did some more debugging.
Is your test using a browser view? If so, it wouldn't trigger the error, because it probably only happens in protected code.
Basically, I think the problem is this:
- The expression does exists:portal/++resource++foo.bar/some-stylesheet.css
- This finds the ZopeTwoDirectoryResource for ++resource++foo.bar
- It then tries to traverse to some-stylesheet.css, which calls restrictedTraverse() on the ZopeTwoDirectoryResource
- This ends up calling validate() on the security manager
- This ends up here, in AccessControl.ImplPython:
p = Containers(type(container), None)
if p is None:
p = getattr(container, '__allow_access_to_unprotected_subobjects__', None)
if p is not None:
if not isinstance(p, int): # catches bool too if isinstance(p, dict): if isinstance(name, basestring): p = p.get(name) else: p = 1 else: p = p(name, value)
if not p:
if self._verbose: raiseVerbose( 'The container has no security assertions', accessed, container, name, value, context) raise Unauthorized(name, value)
The variables are:
(Pdb) pp accessed, container, name, value, context
(<five.grok.components.ZopeTwoDirectoryResource object at 0x6dd48b0>,
<five.grok.components.ZopeTwoDirectoryResource object at 0x6dd48b0>,
None,
<Products.Five.browser.resource.FileResource object at 0x6dd4910>,
<AccessControl.SecurityManagement.SecurityContext instance at 0x6da51e8>)
As you can see from this code, it's trying to determine if you're allowed to access an item in a container. For that to be allowed, you need to set __allow_access_to_unprotected_subobjects__ to True (or to a method that returns True when called with the sub-item name).
Therefore, adding this to ZopeTwoDirectoryResource seems to do the trick:
class ZopeTwoDirectoryResource(resource.DirectoryResource):
__allow_access_to_unprotected_subobjects__ = True
Hi Sylvain,
I came across this again and did some more debugging.
Is your test using a browser view? If so, it wouldn't trigger the error, because it probably only happens in protected code.
Basically, I think the problem is this:
- The expression does exists: portal/ ++resource+ +foo.bar/ some-stylesheet .css yResource for ++resource++foo.bar .css, which calls restrictedTrave rse() on the ZopeTwoDirector yResource ImplPython:
- This finds the ZopeTwoDirector
- It then tries to traverse to some-stylesheet
- This ends up calling validate() on the security manager
- This ends up here, in AccessControl.
p = Containers( type(container) , None)
'__allow_ access_ to_unprotected_ subobjects_ _',
None)
if p is None:
p = getattr(container,
if p is not None:
if isinstance(p, dict):
if isinstance(name, basestring):
p = p.get(name)
else:
p = 1
else:
p = p(name, value)
if not isinstance(p, int): # catches bool too
if not p:
raiseVerb ose(
'The container has no security assertions',
accessed, container, name, value, context)
raise Unauthorized(name, value)
if self._verbose:
The variables are:
(Pdb) pp accessed, container, name, value, context grok.components .ZopeTwoDirecto ryResource object at 0x6dd48b0>, grok.components .ZopeTwoDirecto ryResource object at 0x6dd48b0>, Five.browser. resource. FileResource object at 0x6dd4910>, .SecurityManage ment.SecurityCo ntext instance at 0x6da51e8>)
(<five.
<five.
None,
<Products.
<AccessControl
As you can see from this code, it's trying to determine if you're allowed to access an item in a container. For that to be allowed, you need to set __allow_ access_ to_unprotected_ subobjects_ _ to True (or to a method that returns True when called with the sub-item name).
Therefore, adding this to ZopeTwoDirector yResource seems to do the trick:
class ZopeTwoDirector yResource( resource. DirectoryResour ce): access_ to_unprotected_ subobjects_ _ = True
__allow_
Do you agree with this?
Cheers,
Martin