Submitted by : tralala at: 2008-08-17T13:24:19-07:00 (9 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

When the "Anonymous" role doesn't have view access to the wiki, trying to access a non-existing page results in an error instead of the page adding template. A traceback obtained from a console follows

Traceback (most recent call last):
  File "/usr/lib/zope2.9/lib/python/OFS/SimpleItem.py", line 221, in raise_standardErrorMessage
    v = s(client, REQUEST, **kwargs)
  File "/usr/lib/zope2.9/lib/python/OFS/DTMLMethod.py", line 145, in __call__
    r=apply(HTML.__call__, (self, client, REQUEST), kw)
  File "/usr/lib/zope2.9/lib/python/DocumentTemplate/DT_String.py", line 476, in __call__
    try: result = render_blocks(self._v_blocks, md)
  File "/usr/lib/zope2.9/lib/python/DocumentTemplate/DT_Let.py", line 75, in render
    else: d[name]=expr(md)
  File "/usr/lib/zope2.9/lib/python/DocumentTemplate/DT_Util.py", line 190, in eval
    d[name] = md.getitem(name, 0)
Unauthorized: You are not allowed to access 'objectValues' in this context

... --tralala, Sun, 17 Aug 2008 13:25:39 -0700 reply

Category: user-issuetracking => general

Happens with 0.60 too, is due to standard_error_message --betabug, Mon, 18 Aug 2008 04:09:36 -0700 reply

Name: '#1419 ZWiki-unstable: Adding pages is impossible when "Anonymous" has no view access' => '#1419 Adding pages is impossible when "Anonymous" has no view access'

To specify this: It happens when trying to add wiki pages by going to !example.org/wiki/NonexistingPage?. Normally you would get the "this page doesn't exist, do you want to create it or search for it" page, but that tries to access stuff (like objectValues) that is secured by the "Access contents information" permission (but similar erros if "Access contents information" is "on" for anonymous and "View" is "off" for anonymous).

The problem is basically that standard_error_message is always executed as the anonymous user. We have another problem with this: The button for "create page" appears even if the visitor doesn't have permission to create pages.

One idea for fixing this would be to go away from standard_error_message for this functionality, instead use a __before_publishing_traverse__ hook to identify non-existing pages.