You are here: Home / Documentation / How To's / Sneaky Insufficient Privileges error

Sneaky Insufficient Privileges error

by nguyen — published Apr 18, 2012 11:43 AM, last modified Aug 16, 2016 10:50 AM
inexplicable me


On one of our workflow application sites we handle a large number of study abroad application "forms" (content objects).  Periodically, we need to update many of these objects, for example, to mark that the student has attended an orientation session.  For this mass update we created a Controller Page Template and associated validation and action scripts.


The mass update form and scripts worked fine a few months ago but have since been giving Insufficient Privileges errors no matter who use them: people who were able to use them before successfully, and even a Zope level admin user.


After much debugging and stepping through code, I found that the security manager was reporting that the owner of the object (in this case the action script) was "Anonymous User".  I looked at the action script using the ZMI and then clicked on the Owner tab.  The owner was the account of my former student who had created the form and its scripts.  When I clicked the "Take ownership" button, the mass update form ran successfully.

The problem was therefore that my student's account had been removed from our LDAP server, about one and a half years after he had last worked here.  Because his account was no longer in our LDAP, Plone was unable to look him up, and was treating his account as "Anonymous User".

Things I'd Tried

I enabled verbose security, but somehow Plone was not showing the verbose message that was being fed to raiseUnauthorized().

I added a bunch of zLOG logging statements throughout

Eventually I added a statement in the code for Traverable's unrestrictedTraverse() method:

if name == 'the-id-of-the-object-that-seemed-to-be-the-problem':
  import pdb;pdb.set_trace()

and traced through the code, down into the call to the security manager's validate() method.