Hi, I have monkey-patched the QueueCatalog to adopt it to our needs, which works fine. I now wanted to introduce a new feature: The QueueCatalog should be bypassed during mass-import of data. So I introduced a new variable "_bypass", and new getBypassQueue() and setBypassQueue methods in the monkey-patch: security.declareProtected(view_management_screens, 'getBypassQueue') def getBypassQueue(self): "get _by_pass" if not hasattr(self,"_bypass"): self._bypass = False return self._bypass security.declareProtected(view_management_screens, 'setBypassQueue') def setBypassQueue(self, bypass=False): "set _bypass" self._bypass = bypass from Products.QueueCatalog.QueueCatalog import QueueCatalog QueueCatalog.getBypassQueue = getBypassQueue QueueCatalog.setBypassQueue = setBypassQueue I can invoke these methods from the url like: ../portal_catalog/setBypassQueue?bypass=1 and ../portal_catalog/getBypassQueue displays a 1 But when I do a: <input type="checkbox" name="enable_bypass" tal:attributes="checked here/portal_catalog/getBypassQueue" /> I get: Unauthorized: The container has no security assertions. Access to 'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied. What I am missing here. -- Gruß Joachim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joachim Schmitz wrote:
Hi,
I have monkey-patched the QueueCatalog to adopt it to our needs, which works fine. I now wanted to introduce a new feature:
The QueueCatalog should be bypassed during mass-import of data. So I introduced a new variable "_bypass", and new getBypassQueue() and setBypassQueue methods in the monkey-patch:
security.declareProtected(view_management_screens, 'getBypassQueue') def getBypassQueue(self): "get _by_pass" if not hasattr(self,"_bypass"): self._bypass = False return self._bypass
I would write this as: return getattr(self, '_bypass', False) avoiding both write-on-read and hasattr in one fell swoop.
security.declareProtected(view_management_screens, 'setBypassQueue') def setBypassQueue(self, bypass=False): "set _bypass" self._bypass = bypass
from Products.QueueCatalog.QueueCatalog import QueueCatalog QueueCatalog.getBypassQueue = getBypassQueue QueueCatalog.setBypassQueue = setBypassQueue
I can invoke these methods from the url like:
../portal_catalog/setBypassQueue?bypass=1
and
../portal_catalog/getBypassQueue displays a 1
But when I do a:
<input type="checkbox" name="enable_bypass" tal:attributes="checked here/portal_catalog/getBypassQueue" />
I get: Unauthorized: The container has no security assertions. Access to 'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.
What I am missing here.
You need to supply security assertions for the new method you have adeed to the class (your security assertions are being "left behind" in the context where you defined the function).. Likely you can add another attribute to the class, 'getBypassQueue__roles__', with the value being a tuple, ('Manager',) (unless you want to figure out how to create a PermissionRoles object yourself). Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG8S9F+gerLs4ltQ4RAp8kAJ4xECJyWPwPzvkOdDNiNGA3Vp6zNACg0bI5 41ihaq521kUpdFKgieWa0+A= =IBzZ -----END PGP SIGNATURE-----
Tres Seaver schrieb:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
security.declareProtected(view_management_screens, 'getBypassQueue') def getBypassQueue(self): "get _by_pass" if not hasattr(self,"_bypass"): self._bypass = False return self._bypass
I would write this as:
return getattr(self, '_bypass', False)
avoiding both write-on-read and hasattr in one fell swoop. thanks for the tip.
<input type="checkbox" name="enable_bypass" tal:attributes="checked here/portal_catalog/getBypassQueue" />
I get: Unauthorized: The container has no security assertions. Access to 'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.
What I am missing here.
You need to supply security assertions for the new method you have adeed to the class (your security assertions are being "left behind" in the context where you defined the function).. Likely you can add another attribute to the class, 'getBypassQueue__roles__', with the value being a tuple, ('Manager',) (unless you want to figure out how to create a PermissionRoles object yourself). I solved it with:
QueueCatalog.getBypassQueue__roles__ = ['Manager', 'Owner',] thanks for the help. -- Gruß Joachim
Joachim Schmitz wrote at 2007-9-19 11:54 +0200:
and
../portal_catalog/getBypassQueue displays a 1
This looks like a security bug. You should not be able to "call" something via the ZPublisher what you cannot call in a script. Maybe, you file a bug report? -- Dieter
participants (3)
-
Dieter Maurer -
Joachim Schmitz -
Tres Seaver