Hi, Ages ago, I started a thread (I think on this list) about the use of TAL expression in Zope 3-style page templates (i.e. ViewPageTemplateFile's used on views) incorrectly performing security checks when using TAL expressions. I think Tres fixed it at the time (I can't find the original mail), but in Zope 2.12.2 there seems to have been a regression. I'd like to make sure I've not missed something, though. I see the problem in Plone 4.0a2 on Zope 2.12, trying to use plone.app.registry. This package has a class that derives from plone.registry.registry.Registry (a "ZTK-only" version) and SimpleItem (to get Zope 2 security and ZMI visibility). Otherwise, it does nothing. There is a view for this class registered like this: <browser:page name="view" for="plone.registry.interfaces.IRegistry" template="records.pt" permission="cmf.ManagePortal" /> In records.pt, there is the following: <tr tal:repeat="record context/records/values"> ... </tr> This fails with the stack trace below. However, if I change it to use a python: expression, it's all fine: <tr tal:repeat="record python:context.records.values()"> ... </tr> As you can see from the stack trace, the TAL expression has resulted in the use of restrictedTraverse(). I think it should be using unrestrictedTraverse(), since ViewPageTemplateFile's are filesystem code. (In this particular case, it's failing the restrictedTraverse check because 'records' is a property and so doesn't have an aq chain, but nevermind that). Stack trace: 2009-12-13 00:40:13 ERROR Zope.SiteErrorLog 1260636013.580.4115611559 http://localhost:8080/test/portal_registry/@@view Traceback (innermost last): Module ZPublisher.Publish, line 127, in publish Module ZPublisher.mapply, line 77, in mapply Module Products.PDBDebugMode.runcall, line 70, in pdb_runcall Module ZPublisher.Publish, line 47, in call_object Module Products.Five.browser.metaconfigure, line 427, in __call__ Module Products.Five.browser.pagetemplatefile, line 126, in __call__ Module Products.Five.browser.pagetemplatefile, line 60, in __call__ Module zope.pagetemplate.pagetemplate, line 115, in pt_render Module zope.tal.talinterpreter, line 271, in __call__ Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 888, in do_useMacro Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 533, in do_optTag_tal Module zope.tal.talinterpreter, line 518, in do_optTag Module zope.tal.talinterpreter, line 513, in no_tag Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 888, in do_useMacro Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 533, in do_optTag_tal Module zope.tal.talinterpreter, line 518, in do_optTag Module zope.tal.talinterpreter, line 513, in no_tag Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 946, in do_defineSlot Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 533, in do_optTag_tal Module zope.tal.talinterpreter, line 518, in do_optTag Module zope.tal.talinterpreter, line 513, in no_tag Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 954, in do_defineSlot Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 533, in do_optTag_tal Module zope.tal.talinterpreter, line 518, in do_optTag Module zope.tal.talinterpreter, line 513, in no_tag Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 946, in do_defineSlot Module zope.tal.talinterpreter, line 343, in interpret Module zope.tal.talinterpreter, line 819, in do_loop_tal Module zope.tales.tales, line 682, in setRepeat Module zope.tales.tales, line 696, in evaluate - URL: /Users/optilude/Development/Plone/Instances/Clients/Lotterywest/osc/src/plone.app.registry/plone/app/registry/browser/records.pt - Line 33, Column 12 - Expression: <PathExpr standard:u'context/records/values'> - Names: {'args': (), 'container': <Registry at /test/portal_registry>, 'context': <Registry at /test/portal_registry>, 'default': <object object at 0x1002c7b50>, 'here': <Registry at /test/portal_registry>, 'loop': {}, 'nothing': None, 'options': {}, 'repeat': <Products.PageTemplates.Expressions.SafeMapping object at 0x108e8b3b0>, 'request': <HTTPRequest, URL=http://localhost:8080/test/portal_registry/@@view>, 'root': <Application at >, 'template': <Products.Five.browser.pagetemplatefile.ViewPageTemplateFile object at 0x10792b950>, 'traverse_subpath': [], 'user': <PropertiedUser 'admin'>, 'view': <Products.Five.metaclass.SimpleViewClass from /Users/optilude/Development/Plone/Instances/Clients/Lotterywest/osc/src/plone.app.registry/plone/app/registry/browser/records.pt object at 0x10885c810>, 'views': <Products.Five.browser.pagetemplatefile.ViewMapper object at 0x108cbb0d0>} Module zope.tales.expressions, line 217, in __call__ Module Products.PageTemplates.Expressions, line 127, in _eval Module zope.tales.expressions, line 124, in _eval Module Products.PageTemplates.Expressions, line 76, in boboAwareZopeTraverse Module OFS.Traversable, line 312, in restrictedTraverse Module OFS.Traversable, line 247, in unrestrictedTraverse - __traceback_info__: ([], 'records') Unauthorized: You are not allowed to access 'records' in this context
/Users/optilude/.buildout/eggs/Zope2-2.12.1-py2.6-macosx-10.6-i386.egg/OFS/Traversable.py(247)unrestrictedTraverse() Martin -- Author of `Professional Plone Development`, a book for developers who want to work with Plone. See http://martinaspeli.net/plone-book