[z3-five] Templates in views and path expressions
Martin Aspeli
optilude at gmx.net
Mon May 7 16:56:35 CEST 2007
Tres Seaver wrote:
> Does the patch fix your problem? I refactored the tests for the
> Expressions module last night to allow up to write tests for the
> security semantics of both the trusted and the regular engines, but
> don't want to go further unless the patch fixes you issue.
It seems to work, yes! Thank you!
I've tried as a Manager user, and as a user with a local role which has
View permission in the context.
So, I think that fixes the ViewPageTemplateFiles-are-not-real-trusted
problem.
I still have a problem with security not being applied properly to
attributes, though. I just tried to put an untrusted page template in a
skin layer (actually, a temporarily mutilated document_view from Plone),
and do
<b tal:content="context/title" />
on the object. That still gives me the same Unauthorized error as
before, even though I thought I'd protected it.
For reference, here's the ZCML:
<class class=".content.Project">
<require
permission="zope2.View"
interface=".interfaces.IProject"
/>
<require
permission="cmf.ModifyPortalContent"
set_schema=".interfaces.IProject"
/>
</class>
and the interface:
class IProject(Interface):
"""A project workspace, where special local roles may apply
"""
title = schema.TextLine(title=_(u"Title"),
description=_(u"Name of the project"),
required=True)
...
and the class:
class Project(Container):
implements(IProject, ITTWLockable, INameFromTitle)
portal_type = "b-org Project"
title = u""
...
and the error:
Traceback (innermost last):
Module ZPublisher.Publish, line 119, in publish
Module ZPublisher.mapply, line 88, in mapply
Module Products.PDBDebugMode.pdbzope.runcall, line 60, in pdb_runcall
Module ZPublisher.Publish, line 42, in call_object
Module Shared.DC.Scripts.Bindings, line 313, in __call__
Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
Module Products.CMFCore.FSPageTemplate, line 220, in _exec
Module Products.CMFCore.FSPageTemplate, line 159, in pt_render
Module Products.PageTemplates.PageTemplate, line 89, in pt_render
Module zope.pagetemplate.pagetemplate, line 117, in pt_render
Module zope.tal.talinterpreter, line 271, in __call__
Module zope.tal.talinterpreter, line 346, in interpret
...
Module Products.PageTemplates.Expressions, line 224, in evaluateText
Module zope.tales.tales, line 696, in evaluate
- URL:
file:/Users/optilude/Development/Plone/Code/Build/ploneout/trunk/products/CMFPlone/skins/plone_content/document_view.pt
- Line 12, Column 4
- Expression: <PathExpr standard:u'context/managers'>
- Names:
{'container': <PloneSite at /test>,
'context': <Project at /test/my-workspace>,
'default': <object object at 0x53528>,
'here': <Project at /test/my-workspace>,
'loop': {},
'nothing': None,
'options': {'args': ()},
'repeat': <Products.PageTemplates.Expressions.SafeMapping object
at 0x8253558>,
'request': <HTTPRequest,
URL=http://localhost:8080/test/my-workspace/document_view>,
'root': <Application at >,
'template': <FSPageTemplate at /test/document_view used for
/test/my-workspace>,
'traverse_subpath': [],
'user': <PropertiedUser 'admin'>}
Module zope.tales.expressions, line 217, in __call__
Module Products.PageTemplates.Expressions, line 153, in _eval
Module zope.tales.expressions, line 124, in _eval
Module Products.PageTemplates.Expressions, line 80, in
boboAwareZopeTraverse
Module OFS.Traversable, line 301, in restrictedTraverse
Module OFS.Traversable, line 236, in unrestrictedTraverse
- __traceback_info__: ([], 'managers')
Module AccessControl.ImplPython, line 563, in validate
Module AccessControl.ImplPython, line 454, in validate
Module AccessControl.ImplPython, line 808, in raiseVerbose
Unauthorized: Your user account is defined outside the context of the
object being accessed. Access to 'managers' of (Project at
/test/my-workspace) denied. Your user account, admin, exists at
/acl_users. Access requires one of the following roles: ['Contributor',
'Editor', 'Manager', 'Owner', 'Reader'].
Martin
More information about the z3-five
mailing list