[z3-five] Templates in views and path expressions

Martin Aspeli optilude at gmx.net
Mon May 7 13:03:28 CEST 2007 

Hi Tres.


>>   - ViewPageTemplateFile's in a browser view are doing restricted, 
>> rather than unrestricted traversals
> 
> This is becuase
> 'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts
> 'python:' expressions;  path traversal is still governed by
> 'boboAwareZopeTraverse', which uses 'restrictedTraverse'.

That's bad, isn't it?

>>   - The <require /> directive doesn't seem to work properly on simple 
>> properties
> 
> Your context object somehow has no acquisition wrapper, and therefore
> cannot be verified by Zope's acquisition-based security policy.

Strange; it derives from CMF's PortalFolder (and a few other things), so 
it should be acquisition-aware, and I'm invoking the view via normal 
traversal.

What is telling you that there's no aq wrapper, specifically?

>> Are these bugs? Are my expectations unreasonable? What are the 
>> consequences of not having a <class> directive setting permissions on 
>> the content type?
> 
> Applications which don't expose their objects to TTW-modifiable code can
> safely leave those declarations out;  in fact, all the Five-based apps I
> have worked on do this, as they don't permit "skinning" or
> "customerization".

Right. I'd still prefer to have it in, though. :)

I'm also unclear what the effect of base classes (e.g. PortalFolder) 
doing their own ClassSecrityInfo is on my own derived type, if my 
derived type uses neither ClassSecurityInfo directly, nor a <require /> 
ZCML statement.

> We had a similar exchange about three weeks ago on the subject, 'ZCML
> security declarations and properties'.  I conceded then, through
> failutre to read carefully enough:

Ah yes, I knew there was a reason I had deja-vu :(

>> You are correct that the VPTF is trusted code -- my bad.
> 
> As it turns out, it is only "partially trusted."  The attached patch
> should make them "really trusted", at least for path expressions;  does
> it help?  I haven't added any tests, although my 2.10 branch checkout
> does pass all tests with this change.

It seems to me that being "not fully trusted" is a bug, so I'd be very 
happy if this went in!

I assume this only impacts ViewPageTemplateFiles and not regular 
TTW/skin layer Page Templates?

Martin

> ------------------------------------------------------------------------
> 
> Index: lib/python/Products/PageTemplates/Expressions.py
> ===================================================================
> --- lib/python/Products/PageTemplates/Expressions.py	(revision 75597)
> +++ lib/python/Products/PageTemplates/Expressions.py	(working copy)
> @@ -83,6 +83,26 @@
>                                           request=request)
>      return object
>  
> +def trustedBoboAwareZopeTraverse(object, path_items, econtext):
> +    """Traverses a sequence of names, first trying attributes then items.
> +
> +    This uses Zope 3 path traversal where possible and interacts
> +    correctly with objects providing OFS.interface.ITraversable when
> +    necessary (bobo-awareness).
> +    """
> +    request = getattr(econtext, 'request', None)
> +    path_items = list(path_items)
> +    path_items.reverse()
> +
> +    while path_items:
> +        name = path_items.pop()
> +        if OFS.interfaces.ITraversable.providedBy(object):
> +            object = object.unrestrictedTraverse(name)
> +        else:
> +            object = traversePathElement(object, name, path_items,
> +                                         request=request)
> +    return object
> +
>  def render(ob, ns):
>      """Calls the object, possibly a document template, or just returns
>      it if not callable.  (From DT_Util.py)
> @@ -108,11 +128,13 @@
>  
>  class ZopePathExpr(PathExpr):
>  
> +    _TRAVERSER = staticmethod(boboAwareZopeTraverse)
> +
>      def __init__(self, name, expr, engine):
>          if not expr.strip():
>              expr = 'nothing'
>          super(ZopePathExpr, self).__init__(name, expr, engine,
> -                                           boboAwareZopeTraverse)
> +                                           self._TRAVERSER)
>  
>      # override this to support different call metrics (see bottom of
>      # method) and Zope 2's traversal exceptions (ZopeUndefs instead of
> @@ -150,6 +172,9 @@
>                  return 1
>          return 0
>  
> +class TrustedZopePathExpr(ZopePathExpr):
> +    _TRAVERSER = staticmethod(trustedBoboAwareZopeTraverse)
> +
>  class SafeMapping(MultiMapping):
>      """Mapping with security declarations and limited method exposure.
>  
> @@ -335,11 +360,11 @@
>              return False
>          return ob1 == ob2
>  
> -def createZopeEngine():
> +def createZopeEngine(zpe=ZopePathExpr):
>      e = ZopeEngine()
>      e.iteratorFactory = PathIterator
> -    for pt in ZopePathExpr._default_type_names:
> -        e.registerType(pt, ZopePathExpr)
> +    for pt in zpe._default_type_names:
> +        e.registerType(pt, zpe)
>      e.registerType('string', StringExpr)
>      e.registerType('python', ZRPythonExpr.PythonExpr)
>      e.registerType('not', NotExpr)
> @@ -352,7 +377,7 @@
>  def createTrustedZopeEngine():
>      # same as createZopeEngine, but use non-restricted Python
>      # expression evaluator
> -    e = createZopeEngine()
> +    e = createZopeEngine(TrustedZopePathExpr)
>      e.types['python'] = PythonExpr
>      return e
>  
>

More information about the z3-five mailing list