Unauthorized for ZSQLMethods

[hekl]

I have upgrade my existing zope2 to zope4 (4.1.3, python 3.6.9, linux). Locally it works fine. On the server it gives an exception for every page with a ZSQL method in the web view. Other pages have no problem . It is this error:

Error Type: Unauthorized Error Value: Your user account does not have the required permission. Access to 'sqlQuery' of (OrderedFolder at /mysite/news_folder) denied. Your user account, Anonymous User, exists at /acl_users. Access requires Use_Database_Methods_Permission, granted to the following roles: ['Authenticated', 'Manager']. Your roles in this context are ['Anonymous'].

Traceback (innermost last): Module ZPublisher.WSGIPublisher, line 156, in transaction_pubevents Module ZPublisher.WSGIPublisher, line 338, in publish_module Module ZPublisher.WSGIPublisher, line 256, in publish Module ZPublisher.mapply, line 85, in mapply Module ZPublisher.WSGIPublisher, line 62, in call_object Module OFS.DTMLMethod, line 177, in call

• <DTMLMethod at /mysite/index_html>
• URL: http://mysite.nl/index_html/manage_main
• Physical Path: /mysite/index_html Module DocumentTemplate.DT_String, line 528, in call Module DocumentTemplate._DocumentTemplate, line 145, in render_blocks Module DocumentTemplate._DocumentTemplate, line 167, in renderblocks Module DocumentTemplate._DocumentTemplate, line 376, in getitem Module DocumentTemplate._DocumentTemplate, line 399, in getitem Module OFS.DTMLMethod, line 168, in call
• <DTMLMethod at /mysite/index.html>
• URL: http://mysite.nl/index.html/manage_main
• Physical Path: /mysite/index.html Module DocumentTemplate.DT_String, line 528, in call Module DocumentTemplate._DocumentTemplate, line 145, in render_blocks Module DocumentTemplate._DocumentTemplate, line 246, in renderblocks Module DocumentTemplate.DT_In, line 462, in renderwb Module DocumentTemplate.DT_Util, line 228, in eval
• __traceback_info__: news_folder Module , line 1, in Module AccessControl.ImplPython, line 632, in DTMLValidate Module AccessControl.ImplPython, line 484, in validate Module AccessControl.ImplPython, line 846, in raiseVerbose

[d-maurer]

Henk Laloli wrote at 2020-3-20 15:57 -0700:

I have upgrade my existing zope2 to zope4. Locally it works fine. On the server it gives an exception for every page with a ZSQL method in the web view. Other pages have no problem . It is this error:

Error Type: Unauthorized Error Value: Your user account does not have the required permission. Access to 'sqlQuery' of (OrderedFolder at /mysite/folder) denied. Your user account, Anonymous User, exists at /acl_users. Access requires Use_Database_Methods_Permission, granted to the following roles: ['Authenticated', 'Manager']. Your roles in this context are ['Anonymous'].

This error message is quite clear: Apparently, an "Anonymous" user is trying to access a ZSQLMethod, protected by the Use_Database_Methods_Permission. In your setup, this permission is granted to the roles 'Authenticated' and 'Manager', but not Anonymous. The result must be an Unauthorized exception.

If you are confident that the use of this particular ZSQLMethod is safe for use by anonymous users (in general, SQL methods might pose a risk), then you can grant the permission Use_Database_Methods_Permission for this object to Anonymous.

There used to be a ZMI tab for this (likely labeled Permissions). In new versions, this tab might have been suppressed (because in a larger (--> "CMFCore", "Plone", ...) context, its use can easily break things). In this case, appending "/manage_access" to the sql method url will allow you to manage the permission to role management for this object.

[dataflake]

The ZMI tab is called "Security" and it still exists on all ZMI objects. It is not and has never been hidden.

[hekl]

Thanks for your reply. Indeed in the ZMI not much has changed. But your comment made me look at the permissions at highest level. The permission role for Anonymous user to "use database methods" was not on. In my old zope is was. That solved it.