[z3-five] ZCML security declarations and properties

Martin Aspeli optilude at gmx.net
Tue Apr 17 09:24:44 CEST 2007 

Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Martin Aspeli wrote:
>> Hi guys,
>>
>> I have an interface that defines various properties:
>>
>> class IFoo(Interface):
>>
>>     bar = schema.TextLine(...)
>>
>> class Foo(SimpleItem):
>>     implements(IBar)
>>
>>     bar = property(...)
>>
>> I then have this in ZCML:
>>
>>     <class class=".foo.Foo"
>>          <require
>>              permission="zope2.View"
>>              interface=".interfaces.IFoo
>>              />
>>          <require
>>              permission="cmf.ModifyPortalContent"
>>              set_schema=".interfaces.Foo
>>              />
>>      </class>
>>
>> However, if I try to do
>>
>>      <span tal:content="context/getPhone">Phone number</span>
>>
>> in a page ViewPageTemplateFile in a Z3 view (i.e. trusted code), I get:
>>
>>      Unauthorized: You are not allowed to access 'bar' in this context
>>
>> This is with verbose-security on, but not much help there...
>>
>> What am I missing here? Why is this happening even in trusted code?
> 
> 'getPhone' is not declared as being part of the interface to which you
> grant permission in the ZCML; 

Sorry, I'm being a muppet. The code I pasted was the workaround (I used 
a method). This is the code that gives the error:

<span tal:content="context/bar">Bar</span>

(I've simplified my code down to Foo and bar, obviously, it had to do 
with a phone number to start with). 'bar' here is in the interface.

I *think* the key point here is that 'bar' is a Python property, not a 
method, but I'm not sure.

> your other error is assuming that a ZPT
> is trusted code.  You need to grant permissions for *all* attributes /
> methods you access through ZPT, *except* those bound into the top-level
> namespace (like 'options', 'request' etc.)

I'm talking about a ZPT bound to a Z3 view with 
Products.Five.browser.pagetemplatefile.ViewPageTemplateFile. In my 
understanding, these are trusted code, at least I'm able to do all kinds 
of otherwise "insecure" things inside them, but not access this bit of 
my context content object.

e.g.

class FooView(BrowserView):
     __call__ = ViewPageTemplateFile('foo.pt')

and the HTML <span tal:content="context/bar">Bar</span> goes inside foo.pt.

Martin

More information about the z3-five mailing list