Anonymous user content creation issue

Plone Support Add-on Development
, ,
1

Hi, Guys!

We'd like to achieve that functionality:

Anonymous user able to fill and submit the form. Custom contet-type object being created and saved to particular folder.

However we're encountering 401 error while saving the object (our guess that it is some sort of temporary objects):

message: "You are not allowed to access '13782108' in this context"
type: "Unauthorized"

, despite that adding permissions were granted for anonymous user in content-type declaration and role-map.xml.

content type declaration:

<?xml version="1.0" encoding="utf-8"?>
<object name="anonymous_application" meta_type="Dexterity FTI" i18n:domain="mydomain" xmlns:i18n="http://xml.zope.org/namespaces/i18n">
...
 <property name="add_permission">addon.anonymousapplication.can_create_anonymous_application</property>
...
</object>

role-map.xml


<?xml version="1.0"?>
<rolemap>
  <permissions>
    ...
    <permission name="addon.anonymousapplication: Can create content Anonymous Application" acquire="True">
      <role name="Anonymous"/>
    </permission>
    ...
   </permissions>
</rolemap>

I'm aware about adopt_roles and adopt_user approach: here and here

The question is: is there any way to acieve it declaratively or what we're doing wrong?

thanks )

1 Like
2

You anonymous users may have no permission to view the new object which may be private. You need to grant this permission as well.

Also try to enable verbose security to find out which permission is missing:

  • Set verbose-security = on for your instance
  • Remove the Unauthorized exception from the list of ignored exceptions inside the error_log object within the Plone root folder through the ZMI
1 Like
3

Thanks!

initially the content we used this method for content creation:

container = api.portal.get_tool("anonymous_application_folder")
payload = {
    ...
    "container": container,
    ...
}
content = api.content.create(**payload)

I've added verbose-security = on and removed Unauthorized exception from the list - and that's really made traceback look this way:

  ...
  Module ZPublisher.WSGIPublisher, line 68, in call_object
  Module plone.rest.service, line 21, in __call__
  Module plone.restapi.services, line 19, in render
  Module myaddon.api.application, line 92, in reply
  Module myaddon.utils.content, line 75, in create_anonymous_application
  Module decorator, line 232, in fun
  Module plone.api.validation, line 73, in wrapped
  Module decorator, line 232, in fun
  Module plone.api.validation, line 149, in wrapped
  Module plone.api.content, line 106, in create
  Module plone.folder.ordered, line 194, in manage_renameObject
  Module OFS.CopySupport, line 362, in manage_renameObject
  Module plone.dexterity.content, line 271, in _verifyObjectPaste
  Module Products.CMFCore.PortalFolder, line 405, in _verifyObjectPaste
  Module OFS.CopySupport, line 503, in _verifyObjectPaste
AccessControl.unauthorized.Unauthorized: You are not allowed to access '79600142' in this context

but if modify code this way it start works fine:

from plone.dexterity.utils import createContentInContainer
content = createContentInContainer(portal_type="anonymous_application", **payload)

still bit confused on permissions cause I was thinking both way utilizes same API under the hood.

4

Leonid Toporkov via Plone Community wrote at 2024-2-22 06:47 +0000:

Thanks!

initially the content we used this method for content creation:

container = api.portal.get_tool("anonymous_application_folder")
payload = {
   ...
   "container": container,
   ...
}
content = api.content.create(**payload)

I've added verbose-security = on and removed Unauthorized exception from the list - and that's really made traceback look this way:

 ...
 Module ZPublisher.WSGIPublisher, line 68, in call_object
 Module plone.rest.service, line 21, in __call__
 Module plone.restapi.services, line 19, in render
 Module myaddon.api.application, line 92, in reply
 Module myaddon.utils.content, line 75, in create_anonymous_application
 Module decorator, line 232, in fun
 Module plone.api.validation, line 73, in wrapped
 Module decorator, line 232, in fun
 Module plone.api.validation, line 149, in wrapped
 Module plone.api.content, line 106, in create
 Module plone.folder.ordered, line 194, in manage_renameObject
 Module OFS.CopySupport, line 362, in manage_renameObject
 Module plone.dexterity.content, line 271, in _verifyObjectPaste
 Module Products.CMFCore.PortalFolder, line 405, in _verifyObjectPaste
 Module OFS.CopySupport, line 503, in _verifyObjectPaste
AccessControl.unauthorized.Unauthorized: You are not allowed to access '79600142' in this context

but if modify code this way it start works fine:

from plone.dexterity.utils import createContentInContainer
content = createContentInContainer(portal_type="anonymous_application", **payload)

still bit confused on permissions cause I was thinking both way utilizes same API under the hood.

Apparently, the problematic case tries to rename the object
(which checks whether this is allowed),
the successful case might directly use the correct object id
and therefore can avoid the renaming.

1 Like