Submitted by : simon at: 2004-05-13T09:00:19+00:00 (16 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

Investigate.. also, the general issue of requiring a username for renaming - should we continue this policy ?

want to look at this --betabug, Mon, 17 Sep 2007 11:29:34 -0700 reply

so it's now On Betabug's List :-)

Looks like a login box pops up --betabug, Mon, 17 Sep 2007 13:01:51 -0700 reply

Trying to reproduce this. Itt seems that when I haven't given any permissions to edit Zwiki pages to anonymous, a login box is popping up. When I have given anonymous the "edit zwiki pages" and "rename zwiki pages" permission, it displays a traceback:

Module Products.ZWiki.plugins.tracker.tracker, line 343, in changeIssueProperties
Module Products.ZWiki.Editing, line 633, in rename
Module Products.ZWiki.Editing, line 675, in changeIdPreservingCreator
Module OFS.CopySupport, line 348, in manage_renameObject
Module OFS.CopySupport, line 526, in _verifyObjectPaste

Insufficient Privileges

You do not possess the Zwiki: Add pages permission in the context of the container into which you are pasting, thus you are not able to perform this operation.

should use self.checkSufficientId()? --betabug, Mon, 17 Sep 2007 13:05:50 -0700 reply

Likely the code in question should use self.checkSufficientId(), and given that it would suffice to give anonymous the "Zwiki: Add pages" permission too. If that is not intended (i.e. on some wiki users should be allowed to edit issues, but not create new pages), then there would be a real problem I believe.

... --simon, Thu, 20 Sep 2007 09:16:52 -0700 reply

I think the problem is that editing an issue page requires Zwiki: Add pages permission, and this is non-obvious (maybe true for renaming a page also). changeIdPreservingCreator calls manage_renameObject, which is a user api method, doing access checks again etc. I think really we should be calling some more low-level code and not doing access checks at this point.