Stuart Bishop wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In Shared.DC.Scripts.Bindings._getContext(self), there seems to be a new security check: getSecurityManager().validate(parent, container, '', self)
This is now giving me the following traceback:
Traceback (innermost last): Module ZPublisher.Publish, line 100, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 40, in call_object Module Products.CGPublisher.storage.Storage, line 911, in editPane Module Shared.DC.Scripts.Bindings, line 261, in __call__ Module Shared.DC.Scripts.Bindings, line 292, in _bindAndExec Module Products.PageTemplates.PageTemplateFile, line 106, in _exec Module Products.PageTemplates.PageTemplate, line 90, in pt_render - <PageTemplateFile at /CGPublisher/works/2/5/source/getaway/details/editPaneHelper> Module Products.PageTemplates.PageTemplateFile, line 74, in pt_getContext Module Shared.DC.Scripts.Bindings, line 224, in _getContext Module AccessControl.ImplPython, line 398, in validate Module AccessControl.ImplPython, line 263, in validate Unauthorized: You are not allowed to access '' in this context
editPaneHelper is just a PageTemplateFile. Storage.editPane (Python - not Python Script) is calling it like: return self.editPaneHelper(**options)
Can anyone give me a hint on tracking this down? I have so far been unable to write a minimal example that fails (they all work), so I'm unsure if this is a Zope problem or my problem.
Zope 2.6.3 added a new security check for untrusted code, to ensure that the "bindings" created (in particular, 'context' and 'container') weren't set up if the user didn't have access to the bound objects. You can either: - On the template's "Bindings" tab, unbind the 'context' name (assuming that your template does not use either 'context' or 'here') - Give the template a proxy role of 'Manager'. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com