DTML Documents/Folders in ZClasses fail to access anything
Hi, I got a ZClass 'Test', with a DTML Method 'view' containing <dtml-var id>, and a DTML Document 'view2' with the same line. instance/view works. instance/view2 returns (ZDebug output): Error type: Unauthorized Error value: The object /test/view2, which is contained in /test/view2, is marked as private. Traceback (innermost last): File /opt/Zope-2.3.0-linux2-x86/lib/python/ZPublisher/Publish.py, line 222, in publish_module File /opt/Zope-2.3.0-linux2-x86/lib/python/ZPublisher/Publish.py, line 187, in publish File /opt/Zope-2.3.0-linux2-x86/lib/python/ZPublisher/Publish.py, line 171, in publish File /opt/Zope-2.3.0-linux2-x86/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: view2) File /opt/Zope-2.3.0-linux2-x86/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: view2) File /opt/Zope-2.3.0-linux2-x86/lib/python/OFS/DTMLDocument.py, line 189, in __call__ (Object: view2) File /opt/Zope/lib/python/Products/ZDebug/DTMLLocator.py, line 103, in __call__ (Object: view2) File /opt/Zope-2.3.0-linux2-x86/lib/python/DocumentTemplate/DT_String.py, line 538, in __call__ (Object: view2) File /opt/Zope/lib/python/Products/ZDebug/DTMLDebug.py, line 259, in debug_render_blocks File /opt/Zope/lib/python/Products/ZDebug/DTMLDebug.py, line 239, in debugException File /opt/Zope/lib/python/Products/ZDebug/DTMLDebug.py, line 256, in debug_render_blocks File /opt/Zope-2.3.0-linux2-x86/lib/python/OFS/DTMLMethod.py, line 261, in validate (Object: view2) File /opt/Zope-2.3.0-linux2-x86/lib/python/AccessControl/SecurityManager.py, line 144, in validate File /opt/Zope/lib/python/Products/ZDebug/DebugSecurityPolicy.py, line 304, in validate Unauthorized: (see above) The same happens if I place a copy of 'view' inside a Folder in the ZClass and call instance/folder/view, except that this time the Folder is flagged as the 'private' object. Why? What? Is this a bug? Or is it supposed to work this way and I just don't get it? Did I fall behind on my sheep sacrifices? Or was it changed to goats and I missed the memo? Environment: Zope 2.3.0, ZClass subclassing only ZObject, using stock acl_users and storing the instance in a standard Folder. -- -- Itai Tavor -- "Je sautille, donc je suis." -- itai@optusnet.com.au -- - Kermit the Frog -- -- -- -- "If you haven't got your health, you haven't got anything" --
Itai Tavor wrote:
Hi,
I got a ZClass 'Test', with a DTML Method 'view' containing <dtml-var id>, and a DTML Document 'view2' with the same line. instance/view works. instance/view2 returns (ZDebug output):
From SimpleItem.py:
"""Direct use of the 'id' attribute is deprecated - use getId()""" The difference you're seeing is because the DTML Method is acquiring the id attribute, whereas you're getting the DTML Document's own id attribute. -- Steve Akexander Software Engineer Cat-Box limited http://www.cat-box.net
Steve Alexander wrote:
Itai Tavor wrote:
Hi,
I got a ZClass 'Test', with a DTML Method 'view' containing <dtml-var id>, and a DTML Document 'view2' with the same line. instance/view works. instance/view2 returns (ZDebug output):
From SimpleItem.py:
"""Direct use of the 'id' attribute is deprecated - use getId()"""
The difference you're seeing is because the DTML Method is acquiring the id attribute, whereas you're getting the DTML Document's own id attribute.
Thanks, but it's got nothing to do with getId... I just used id because it's easy to write. I get the same behavior if I try to view meta_type, or a property that is defined on a propertysheet in the ZClass. And the fact that the DTML Document uses its own attributes shouldn't cause Unauthorized, should it? It should just show a different attribute, or acquire the attribute if it doesn't have it. I just tried it again with a clean install of Zope 2.3.0. In a DTML Document, this works (name is a property in the ZClass propertysheet): <dtml-with "PARENTS[0]"> <dtml-var name> <dtml-var meta_type> </dtml-with> But these fail with Unauthorized: <dtml-var name>, <dtml-var meta_type>. The <dtml-var title_or_id> in standard_html_header fails as well. I also repeated the folder test: In a DTML Method stored inside a folder in the ZClass, <dtml-var name> works, but <dtml-var title_or_id> fails. So what do we have? I can't use title_or_id on DTML Documents, so it's useless for use in standard_html_header (and title_or_id uses getId, so it should work). I can't access ZClass properties from the DTML Document unless I use dtml-with - meaning no acquisition. And I can't access properties of the DTML Document (like meta_type) unless they are accessed using a method call (like getId()). This can't be right. I find it hard to believe that if this is really a bug, it didn't bother anybody else until now. On the other hand, these tests seem to show a problem with security checks on objects in ZClasses that create their own context. So what am I still missing here? Itai -- -- Itai Tavor -- "Je sautille, donc je suis." -- itai@optusnet.com.au -- - Kermit the Frog -- -- -- -- "If you haven't got your health, you haven't got anything" --
participants (2)
-
Itai Tavor -
Steve Alexander