Hi! I didn't know that methods needed to have docstrings to be traversable (it took me some time to find out why I was getting "Not found" errors on some of a tool's methods). Is there any reason to still have such a "feature" in Zope2.9? or at least maybe there could be a hint in the trace log. regards /JM
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jean-Marc Orliaguet wrote:
I didn't know that methods needed to have docstrings to be traversable (it took me some time to find out why I was getting "Not found" errors on some of a tool's methods). Is there any reason to still have such a "feature" in Zope2.9?
"Publishable methods have docstrings" is the oldest security model in Zope / Bobo. It would open unknown security holes in 3rd party applications if we removed that restriction. Even setting the default value of '__allow_access_to_unprotected_subobjects__' to False wouldn't help, because there are many products which set that to True for their objects, relying on the lack of docstring to make their methods safe from direct URL access. In fact, this restriction is *different* than the "permission-role" one: even methods whose roles are None (i.e. public), and therefore can be called by scripts run by anonymous users, are prevented from being "published" if they have no docstrings.
or at least maybe there could be a hint in the trace log.
I *thinK* if you run in debug mode with verbose security turned on, it suggests that as one possible reason. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD3h0R+gerLs4ltQ4RAlmLAKCrmf+35VoB3BDFS2EhmL/xdTsPgQCgsVOw wQwUqnMOPLJcamP13ziZ4rQ= =KoIC -----END PGP SIGNATURE-----
If somebody gets time to do the suggested refactoring of the publisher for 2.10, then the docstring requirement could be dropped for IFiveTraversable objects, I think. or?
Lennart Regebro schrieb:
If somebody gets time to do the suggested refactoring of the publisher for 2.10, then the docstring requirement could be dropped for IFiveTraversable objects, I think.
Otoh, whats wrong with docstrings anyway? :-) Regards Tino
Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jean-Marc Orliaguet wrote:
I didn't know that methods needed to have docstrings to be traversable (it took me some time to find out why I was getting "Not found" errors on some of a tool's methods). Is there any reason to still have such a "feature" in Zope2.9?
"Publishable methods have docstrings" is the oldest security model in Zope / Bobo. It would open unknown security holes in 3rd party applications if we removed that restriction. Even setting the default value of '__allow_access_to_unprotected_subobjects__' to False wouldn't help, because there are many products which set that to True for their objects, relying on the lack of docstring to make their methods safe from direct URL access.
In fact, this restriction is *different* than the "permission-role" one: even methods whose roles are None (i.e. public), and therefore can be called by scripts run by anonymous users, are prevented from being "published" if they have no docstrings.
or at least maybe there could be a hint in the trace log.
I *thinK* if you run in debug mode with verbose security turned on, it suggests that as one possible reason.
Tres.
One extra difficulty when debugging with that model is that .pyc files must be deleted if the .py is modified. since apparently docstrings are ignored during the compilation. But now I know :-) /JM
Jean-Marc Orliaguet wrote at 2006-1-30 16:52 +0100:
... One extra difficulty when debugging with that model is that .pyc files must be deleted if the .py is modified. since apparently docstrings are ignored during the compilation.
This is not the case (unless you use "-OO" and even then, the ".pyc" file would be recreated). -- Dieter
On Mon, Jan 30, 2006 at 11:34:17AM +0100, Jean-Marc Orliaguet wrote:
Hi!
I didn't know that methods needed to have docstrings to be traversable (it took me some time to find out why I was getting "Not found" errors on some of a tool's methods). Is there any reason to still have such a "feature" in Zope2.9? or at least maybe there could be a hint in the trace log.
I thought the docstring requirement only applied to publishing, not traversal per se? Do you get "Not found" when doing e.g. restrictedTraverse(some_path)? -- Paul Winkler http://www.slinkp.com
Paul Winkler wrote:
On Mon, Jan 30, 2006 at 11:34:17AM +0100, Jean-Marc Orliaguet wrote:
Hi!
I didn't know that methods needed to have docstrings to be traversable (it took me some time to find out why I was getting "Not found" errors on some of a tool's methods). Is there any reason to still have such a "feature" in Zope2.9? or at least maybe there could be a hint in the trace log.
I thought the docstring requirement only applied to publishing, not traversal per se? Do you get "Not found" when doing e.g. restrictedTraverse(some_path)?
no then it works, and also when methods are called from inside page templates. That's the publisher that doesn't find it. /JM
participants (6)
-
Dieter Maurer -
Jean-Marc Orliaguet -
Lennart Regebro -
Paul Winkler -
Tino Wildenhain -
Tres Seaver