Can't Access Controlpanel

[1letter]

Can't access Controlpanel in Plone after save the Form of portal_controlpanel in ZMI

What I did:

Fresh 5.2 Installation

1. Login e.g. as Manager
2. Goto /@@overview-controlpanel -> all is ok
3. Goto /portal_controlpanel in the ZMI
4. Don't touch anything, only klick "Save" at the end of the form
5. Goto /@@overview-controlpanel -> redirect to /insufficient-privileges

What I expect to happen:

• Access to /@@overview-controlpanel

What actually happened:

• redirect to /insufficient-privileges

What version of Plone/ Addons I am using:

Plain 5.2

[pbauer]

I was able to reproduce that on http://demo.plone.org.

You need to delete the controlpanel Change Password. I had the same case after a Plone 4 to 5.2 migration. I did not check then what the problem really was, maybe a condition thet throws unauthorized is evaluated even though Visible? is set to off.

[1letter]

It looks like the same error, like you described.

2020-02-06 16:54:41,435 ERROR   [Zope.SiteErrorLog:251][waitress] 1581004481.43128160.6733657856329289 http://127.0.0.1:8080/sps/@@overview-controlpanel
Traceback (innermost last):
  Module ZPublisher.WSGIPublisher, line 156, in transaction_pubevents
  Module ZPublisher.WSGIPublisher, line 338, in publish_module
  Module ZPublisher.WSGIPublisher, line 256, in publish
  Module ZPublisher.mapply, line 85, in mapply
  Module ZPublisher.WSGIPublisher, line 62, in call_object
  Module Products.CMFPlone.controlpanel.browser.overview, line 34, in __call__
  Module Products.Five.browser.pagetemplatefile, line 126, in __call__
  Module Products.Five.browser.pagetemplatefile, line 61, in __call__
  Module zope.pagetemplate.pagetemplate, line 135, in pt_render
  Module Products.PageTemplates.engine, line 88, in __call__
  Module z3c.pt.pagetemplate, line 173, in render
  Module chameleon.zpt.template, line 306, in render
  Module chameleon.template, line 209, in render
  Module chameleon.utils, line 75, in raise_with_traceback
  Module chameleon.template, line 187, in render
  Module 0e0cd4ad140156fad1f44c49fe40a288, line 1095, in render
  Module 8ca829f28dcca13c148f1acc28a6601d, line 287, in render_master
  Module 2d3f21bae3ebbcd3fdbada806cdda9be, line 688, in render_master
  Module 8ca829f28dcca13c148f1acc28a6601d, line 267, in __fill_content
  Module 2d3f21bae3ebbcd3fdbada806cdda9be, line 1274, in render_content
  Module 8ca829f28dcca13c148f1acc28a6601d, line 258, in __fill_main
  Module 0e0cd4ad140156fad1f44c49fe40a288, line 540, in __fill_prefs_configlet_main
  Module Products.CMFPlone.controlpanel.browser.overview, line 137, in sublists
  Module Products.CMFPlone.PloneControlPanel, line 134, in enumConfiglets
  Module Products.CMFCore.ActionInformation, line 389, in testCondition
  Module Products.CMFCore.Expression, line 53, in __call__
  Module Products.PageTemplates.ZRPythonExpr, line 49, in __call__
   - __traceback_info__: member.canPasswordSet()
  Module PythonExpr, line 1, in <module>
  Module AccessControl.ImplPython, line 767, in guarded_getattr
  Module AccessControl.ImplPython, line 709, in aq_validate
  Module AccessControl.ImplPython, line 598, in validate
  Module AccessControl.ImplPython, line 332, in validate
  Module AccessControl.ImplPython, line 846, in raiseVerbose
zExceptions.unauthorized.Unauthorized: AccessControl.unauthorized.Unauthorized: The container has no security assertions.  Access to 'canPasswordSet' of (Products.PlonePAS.tools.memberdata.MemberData object at 0x7ff15cefde48) denied.

[petschki]

Just got the same in a fresh Plone 6.0.0a2 installation (and on https://demo-latest-plone6.plone.org) ... removing the Change Password from controlpanel solves the issue. This is not a migration problem. I think we can savely remove this from controlpanel since changing password is in the@@personal-preferences user-menu as tab ... I think also the Personal Preferences controlpanel should be removed.

[Rudd-O]

Should the migrator not delete that entry if it exists tho?

[petschki]

First the entries should be removed from CMFPlone controlpanel.zcml ... I'm not sure where this should happen in plone.app.upgrade but it definitely should happen.

[1letter]

@mauritsvanrees I would like fix this via an Upgrade step in plone.app.upgrades and a corrected version of controlpanel.xml in this package. what is the right and correct way, if two packages are affected? Should i create a branch in buildout.coredev with this two affected packages? What else should I watch out for? Sorry for my "stupid" questions.

[mauritsvanrees]

@1letter Easiest in this case is to treat it as two separate problems:

1. The control panel has a wrong permission. This can be fixed with a PR for Products.CMFPlone. (I assume; I did not check the details.) That fixes it for new sites.
2. Add an upgrade step in plone.app.upgrade. This fixes it for existing sites.

It sounds like this should be fixed in both Plone 5.2 and 6. So four PRs, if you are up to it. (plone.app.upgrade uses a different branch in 5.2.)

This is the easiest approach, and it works because the two PRs don't have code that depends on the other PR.

Alternatively you could see it as one problem. You would still create the same PRs. But then you would simply test two PRs together. For Plone 6:

• Login to Jenkins.plone.org with your Github account.
• Go to the 6.0-3.7 PR job and click on Build with Parameters
• In the textarea for the pull request url, paste both the url of the CMFPlone PR and the plone.app.upgrade PR and click on Build.
• Repeat for Python 3.8 and 3.9.

This is a fine approach too. Theoretically slightly better for the planet, as Jenkins runs less jobs. :-)