Hi Steve, Thanks for the reply. Of course as soon as I reported this, I went away for a couple days and I haven't been able to check the list. It appears that the problem is that the BTreeItems object returned by getPersistentObjectIDs isn't currently allowed as an argument of 'in' by itself since it's not in the 'containerAssertions' dictionary defined in SimpleObjectPolicies.py and it doesn't have the magic property: '__allow_access_to_unprotected_subobjects__'. If you *sort* the BTreeItems object however, the dtml-in tag makes a copy of the items in the BTreeItems object as a simple List, and sorts that rather than destructively attempting to sort the original. The simple list is in containerAssertions, and is therefore allowed. I was wrong about the <dtml-var "defaultRack.getPersistentItemIDs()"> it's only <dtml-in "defaultRack.getPersistentItemIDs()"> that seems to cause the problem. The odd thing is that the method 'getPersistentObjectIDs' is correctly included in the definition of __ac_permissions__ in Rack.py, but as you point out, it returns a BTreeItems object that doesn't want to play nice with <dtml-in... >. Once possible solution would be to add an '__allow_access_to_unprotected_subobjects__' property to the BTreeItems object. I'm not sure who should do that..... maybe Rack.py? For now.. I'll just sort the ids. ;-) thanks, -steve
"Steve" == Steve Alexander <steve@cat-box.net> writes:
Steve> Steve Spicklemire wrote: >> Hi ZPatterns folks... >> >> ZPatterns-0.4.1snap1 Zope2.2.0-src >> >> I have a specialist with a defaultRack storing DataSkin >> subclassed ZClass instances with only persistent attribute >> providers. >> >> <dtml-var "defaultRack.getPersistentItemIDs()"> Steve> When I call that, I get <BTreeItems object at 869a5d8>. To Steve> get that list of IDs, I use an external method: Steve> def get_persistent_ids(self): try: items = Steve> self.defaultRack.aq_base.getPersistentItemIDs() return Steve> map(lambda x: x, items) Steve> except: import sys, traceback, string etype, val, tb = Steve> sys.exc_info() Steve> sys.stderr.write(string.join(traceback.format_exception(etype, Steve> val, tb),'')) del etype, val, tb Steve> I've tried something like your code, with no sheetproviders Steve> in the rack. I can't reproduce your error. I'm using the Steve> method as a Manager. >> or >> >> <dtml-in "defaultRack.getPersistentItemIDs()"> ... </dtml-in> >> >> raise AuthorizationFailed >> >> <dtml-in "defaultRack.getPersistentItemIDs()" sort> ... >> </dtml-in> >> >> works fine. What did I do now? ;-) Steve> Line 318, Rack.py. The method getPersistentItemIDs has no Steve> docstring. Is that still significant under the new security Steve> model? Steve> Does the user you're running the method as have the Steve> permission "Access contents information" ? Steve> Looks like you may have uncovered a Zope security bug in Steve> <dtml-in ... sort> :-/ Steve> How could we test this further? Steve> -- Steve Alexander Software Engineer Cat-Box limited Steve> http://www.cat-box.net Steve> _______________________________________________ Zope-Dev Steve> maillist - Zope-Dev@zope.org Steve> http://lists.zope.org/mailman/listinfo/zope-dev ** No cross Steve> posts or HTML encoding! ** (Related lists - Steve> http://lists.zope.org/mailman/listinfo/zope-announce Steve> http://lists.zope.org/mailman/listinfo/zope )