[z3-five] Templates in views and path expressions
Tres Seaver
tseaver at palladion.com
Mon May 7 03:45:08 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Aspeli wrote:
> Hi guys,
>
> This is driving me up the wall.
>
> I have a content class:
>
> class Project(Container):
> implements(IProject)
> portal_type = "Project"
>
> title = u""
> description = u""
> managers = []
> members = []
> workflow_policy = None
> addable_types = []
>
> Protected with:
>
> <five:registerClass
> class=".content.Project"
> meta_type="b-org Project"
> permission="borg.project.AddProject"
> addview="borg.project.Project"
> icon="borg_project_icon.png"
> />
>
> <utility
> component=".content.projectFactory"
> name="borg.project.Project"
> />
>
> <class class=".content.Project">
> <require
> permission="zope2.View"
> interface=".interfaces.IProject"
> />
> <require
> permission="cmf.ModifyPortalContent"
> set_schema=".interfaces.IProject"
> />
> </class>
>
> Then, I have a view:
>
>
> And a template:
>
> <h1 tal:content="context/title" />
>
> When I try to access this, I get:
>
> Traceback (innermost last):
> Module ZPublisher.Publish, line 119, in publish
> Module ZPublisher.mapply, line 88, in mapply
> Module Products.PDBDebugMode.pdbzope.runcall, line 60, in pdb_runcall
> Module ZPublisher.Publish, line 42, in call_object
> Module Products.Five.browser.metaconfigure, line 416, in __call__
> Module Shared.DC.Scripts.Bindings, line 313, in __call__
> Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
> Module Products.PageTemplates.PageTemplateFile, line 129, in _exec
> Module Products.PageTemplates.PageTemplate, line 89, in pt_render
> Module zope.pagetemplate.pagetemplate, line 117, in pt_render
> Module zope.tal.talinterpreter, line 271, in __call__
> ...
> Module Products.PageTemplates.Expressions, line 199, in evaluateText
> Module zope.tales.tales, line 696, in evaluate
> - URL: index
> - Line 13, Column 4
> - Expression: <PathExpr standard:'context/title'>
> - Names:
> {'container': <Project at /test/workspace-one>,
> 'context': <Project at /test/workspace-one>,
> 'default': <object object at 0x53528>,
> 'here': <Project at /test/workspace-one>,
> 'loop': {},
> 'nothing': None,
> 'options': {'args': (<Products.Five.metaclass.SimpleViewClass
> from
> /Users/optilude/Development/Plone/Code/Products/borg/ng/borg.project/borg/project/browser/project.pt
> object at 0x6835410>,)},
> 'repeat': <Products.PageTemplates.Expressions.SafeMapping object
> at 0x76c8d50>,
> 'request': <HTTPRequest,
> URL=http://localhost:8080/test/workspace-one/@@view>,
> 'root': <Application at >,
> 'template': <ImplicitAcquirerWrapper object at 0x76bbe10>,
> 'traverse_subpath': [],
> 'user': <PropertiedUser 'admin'>,
> 'view': <Products.Five.metaclass.SimpleViewClass from
> /Users/optilude/Development/Plone/Code/Products/borg/ng/borg.project/borg/project/browser/project.pt
> object at 0x6835410>,
> 'views': <zope.app.pagetemplate.viewpagetemplatefile.ViewMapper
> object at 0x68354b0>}
> Module zope.tales.expressions, line 217, in __call__
> Module Products.PageTemplates.Expressions, line 131, in _eval
> Module zope.tales.expressions, line 124, in _eval
> Module Products.PageTemplates.Expressions, line 80, in
> boboAwareZopeTraverse
> Module OFS.Traversable, line 301, in restrictedTraverse
> Module OFS.Traversable, line 236, in unrestrictedTraverse
> - __traceback_info__: ([], 'title')
> Module AccessControl.ImplPython, line 563, in validate
> Module AccessControl.ImplPython, line 454, in validate
> Module AccessControl.ImplPython, line 808, in raiseVerbose
> Unauthorized: Your user account is defined outside the context of the
> object being accessed. Access to 'title' of (Project at
> /test/workspace-one) denied. Your user account, admin, exists at
> /acl_users. Access requires one of the following roles: ['Contributor',
> 'Editor', 'Manager', 'Owner', 'Reader'].
>
> I think this is because it's trying to security check 'title'. In
> ImplPython.py, with verbose security on, this is the one that's failing:
>
> def verifyAcquisitionContext(user, object, object_roles=None):
> """Mimics the relevant section of User.allowed().
>
> Returns true if the object is in the context of the user's user folder.
> """
> ufolder = aq_parent(user)
> ucontext = aq_parent(ufolder)
> if ucontext is not None:
> if object is None:
> # This is a strange rule, though
> # it doesn't cause any security holes. SDH
> return 1
> if not hasattr(object, 'aq_inContextOf'):
> if hasattr(object, 'im_self'):
> # This is a method. Grab its self.
> object=object.im_self
> if not hasattr(object, 'aq_inContextOf'):
> # object is not wrapped, therefore we
> # can't determine context.
> # Fail the access attempt. Otherwise
> # this would be a security hole.
> -------> return None
> if not object.aq_inContextOf(ucontext, 1):
> if 'Shared' in object_roles:
> # Old role setting. Waaa
> object_roles=user._shared_roles(object)
> if 'Anonymous' in object_roles:
> return 1
> return None
> # Note that if the user were not wrapped, it would
> # not be possible to determine the user's context
> # and this method would return 1.
> # However, as long as user folders always return
> # wrapped user objects, this is safe.
> return 1
>
> With a breakpoint there, "object" is the string u"Some title", i.e. the
> value of the title attribute.
>
> I can make this work by doing this:
>
> <h1 tal:content="python:context.title" />
>
> Or, I can make it work by leaving the context/title syntax in the
> template, but commenting out the <class> <require /> ... bit.
>
> So, first of all, it seems that:
>
> - ViewPageTemplateFile's in a browser view are doing restricted,
> rather than unrestricted traversals
This is becuase
'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts
'python:' expressions; path traversal is still governed by
'boboAwareZopeTraverse', which uses 'restrictedTraverse'.
> - The <require /> directive doesn't seem to work properly on simple
> properties
Your context object somehow has no acquisition wrapper, and therefore
cannot be verified by Zope's acquisition-based security policy.
> Are these bugs? Are my expectations unreasonable? What are the
> consequences of not having a <class> directive setting permissions on
> the content type?
Applications which don't expose their objects to TTW-modifiable code can
safely leave those declarations out; in fact, all the Five-based apps I
have worked on do this, as they don't permit "skinning" or
"customerization".
We had a similar exchange about three weeks ago on the subject, 'ZCML
security declarations and properties'. I conceded then, through
failutre to read carefully enough:
> You are correct that the VPTF is trusted code -- my bad.
As it turns out, it is only "partially trusted." The attached patch
should make them "really trusted", at least for path expressions; does
it help? I haven't added any tests, although my 2.10 branch checkout
does pass all tests with this change.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGPoSj+gerLs4ltQ4RAioOAKDYoA66AGZszM7LTQfrn8+QN+3//ACcCwSl
WchbpEPYpqzyFoFpk9d+u/I=
=tL7+
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: reallyTrustedViews.patch
Type: text/x-patch
Size: 2869 bytes
Desc: not available
Url : http://codespeak.net/pipermail/z3-five/attachments/20070506/7f8a9ea8/attachment.bin
More information about the z3-five
mailing list