[z3-five] Templates in views and path expressions
Martin Aspeli
optilude at gmx.net
Sun May 6 21:44:11 CEST 2007
Hi guys,
This is driving me up the wall.
I have a content class:
class Project(Container):
implements(IProject)
portal_type = "Project"
title = u""
description = u""
managers = []
members = []
workflow_policy = None
addable_types = []
Protected with:
<five:registerClass
class=".content.Project"
meta_type="b-org Project"
permission="borg.project.AddProject"
addview="borg.project.Project"
icon="borg_project_icon.png"
/>
<utility
component=".content.projectFactory"
name="borg.project.Project"
/>
<class class=".content.Project">
<require
permission="zope2.View"
interface=".interfaces.IProject"
/>
<require
permission="cmf.ModifyPortalContent"
set_schema=".interfaces.IProject"
/>
</class>
Then, I have a view:
And a template:
<h1 tal:content="context/title" />
When I try to access this, I get:
Traceback (innermost last):
Module ZPublisher.Publish, line 119, in publish
Module ZPublisher.mapply, line 88, in mapply
Module Products.PDBDebugMode.pdbzope.runcall, line 60, in pdb_runcall
Module ZPublisher.Publish, line 42, in call_object
Module Products.Five.browser.metaconfigure, line 416, in __call__
Module Shared.DC.Scripts.Bindings, line 313, in __call__
Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
Module Products.PageTemplates.PageTemplateFile, line 129, in _exec
Module Products.PageTemplates.PageTemplate, line 89, in pt_render
Module zope.pagetemplate.pagetemplate, line 117, in pt_render
Module zope.tal.talinterpreter, line 271, in __call__
...
Module Products.PageTemplates.Expressions, line 199, in evaluateText
Module zope.tales.tales, line 696, in evaluate
- URL: index
- Line 13, Column 4
- Expression: <PathExpr standard:'context/title'>
- Names:
{'container': <Project at /test/workspace-one>,
'context': <Project at /test/workspace-one>,
'default': <object object at 0x53528>,
'here': <Project at /test/workspace-one>,
'loop': {},
'nothing': None,
'options': {'args': (<Products.Five.metaclass.SimpleViewClass
from
/Users/optilude/Development/Plone/Code/Products/borg/ng/borg.project/borg/project/browser/project.pt
object at 0x6835410>,)},
'repeat': <Products.PageTemplates.Expressions.SafeMapping object
at 0x76c8d50>,
'request': <HTTPRequest,
URL=http://localhost:8080/test/workspace-one/@@view>,
'root': <Application at >,
'template': <ImplicitAcquirerWrapper object at 0x76bbe10>,
'traverse_subpath': [],
'user': <PropertiedUser 'admin'>,
'view': <Products.Five.metaclass.SimpleViewClass from
/Users/optilude/Development/Plone/Code/Products/borg/ng/borg.project/borg/project/browser/project.pt
object at 0x6835410>,
'views': <zope.app.pagetemplate.viewpagetemplatefile.ViewMapper
object at 0x68354b0>}
Module zope.tales.expressions, line 217, in __call__
Module Products.PageTemplates.Expressions, line 131, in _eval
Module zope.tales.expressions, line 124, in _eval
Module Products.PageTemplates.Expressions, line 80, in
boboAwareZopeTraverse
Module OFS.Traversable, line 301, in restrictedTraverse
Module OFS.Traversable, line 236, in unrestrictedTraverse
- __traceback_info__: ([], 'title')
Module AccessControl.ImplPython, line 563, in validate
Module AccessControl.ImplPython, line 454, in validate
Module AccessControl.ImplPython, line 808, in raiseVerbose
Unauthorized: Your user account is defined outside the context of the
object being accessed. Access to 'title' of (Project at
/test/workspace-one) denied. Your user account, admin, exists at
/acl_users. Access requires one of the following roles: ['Contributor',
'Editor', 'Manager', 'Owner', 'Reader'].
I think this is because it's trying to security check 'title'. In
ImplPython.py, with verbose security on, this is the one that's failing:
def verifyAcquisitionContext(user, object, object_roles=None):
"""Mimics the relevant section of User.allowed().
Returns true if the object is in the context of the user's user folder.
"""
ufolder = aq_parent(user)
ucontext = aq_parent(ufolder)
if ucontext is not None:
if object is None:
# This is a strange rule, though
# it doesn't cause any security holes. SDH
return 1
if not hasattr(object, 'aq_inContextOf'):
if hasattr(object, 'im_self'):
# This is a method. Grab its self.
object=object.im_self
if not hasattr(object, 'aq_inContextOf'):
# object is not wrapped, therefore we
# can't determine context.
# Fail the access attempt. Otherwise
# this would be a security hole.
-------> return None
if not object.aq_inContextOf(ucontext, 1):
if 'Shared' in object_roles:
# Old role setting. Waaa
object_roles=user._shared_roles(object)
if 'Anonymous' in object_roles:
return 1
return None
# Note that if the user were not wrapped, it would
# not be possible to determine the user's context
# and this method would return 1.
# However, as long as user folders always return
# wrapped user objects, this is safe.
return 1
With a breakpoint there, "object" is the string u"Some title", i.e. the
value of the title attribute.
I can make this work by doing this:
<h1 tal:content="python:context.title" />
Or, I can make it work by leaving the context/title syntax in the
template, but commenting out the <class> <require /> ... bit.
So, first of all, it seems that:
- ViewPageTemplateFile's in a browser view are doing restricted,
rather than unrestricted traversals
- The <require /> directive doesn't seem to work properly on simple
properties
Are these bugs? Are my expectations unreasonable? What are the
consequences of not having a <class> directive setting permissions on
the content type?
Cheers,
Martin
More information about the z3-five
mailing list