[z3-five] Templates in views and path expressions

Martin Aspeli optilude at gmx.net
Mon May 7 16:45:40 CEST 2007 

Tres Seaver wrote:

>>>>   - The <require /> directive doesn't seem to work properly on simple 
>>>> properties
>>> Your context object somehow has no acquisition wrapper, and therefore
>>> cannot be verified by Zope's acquisition-based security policy.
>> Strange; it derives from CMF's PortalFolder (and a few other things), so 
>> it should be acquisition-aware, and I'm invoking the view via normal 
>> traversal.
>>
>> What is telling you that there's no aq wrapper, specifically?
> 
> The check for 'aq_inContextOf' is failing;  that method is defined in C
> for acquisition wrappers.  Could you be running into a case where the
> context is actually tuple-ified to prevent wrapping it in the view?  I
> think that is an AT thing, but don't recall for sure.

I don't think that has anything to do with AT, and in any case, my 
product doesn't use Archetypes.

I put this in the template:

<b tal:content="python:context.aq_chain" />

It outputs:

[<Project at /test/my-workspace>, <PloneSite at /test>, <Application at 
 >, <ZPublisher.BaseRequest.RequestContainer object at 0x82945b0>]

The Project at /test/my-workspace is the right context object. So there 
is an aq chain.

Note that the user I'm using here is outside the Plone site root, it's 
in the PAS acl_users at the root of the Zope site. I think it's the same 
with a user inside the site's acl_usuers, but I don't have one set up 
right now to re-test with.

Also note that if zope2.View is given to Anonymous (when the object is 
published) it works in both cases, which I presume is because of the 
usual short-circuit.

> Does the patch fix your problem?  I refactored the tests for the
> Expressions module last night to allow up to write tests for the
> security semantics of both the trusted and the regular engines, but
> don't want to go further unless the patch fixes you issue.

I'll try it now and reply here.

>> I assume this only impacts ViewPageTemplateFiles and not regular 
>> TTW/skin layer Page Templates?
> 
> RIght:  the only client of 'createTrustedZopeEngine' is
> Products.Five.browser.pagetemplatefile.  It is arguable that the normal
> PageTemplateFile should use this engine as well;  for BBB, we'd probably
> have to expose it as an option to the PTF construtor, and then cahnge
> the default from untrusted to trusted after a couple of releases.

/me assumes Tres has this under control

Martin

More information about the z3-five mailing list