Dear Zopistas, I just met the following problem caused by a misfortunate name clash between Python2.x and Zope: DTML-Document: <dtml-var standard_html_header> <h2><dtml-var title_or_id></h2> <table cellpadding=5> <dtml-in propertyIds> <dtml-let p=sequence-item> <tr><th>&dtml-p;</th><td><dtml-var "_[p]"></td></tr> </dtml-let> </dtml-in> <dtml-var standard_html_footer> When this document is rendered, Shane's wonderful ZDebug tool reports: Error type: Unauthorized Error value: Access denied for <built-in method title of string object at 0x8d45e50> because its container, 'title', has no security assertions. Innermost method: /Test/wt/Target Namespace Stack (innermost entry at top) ID Type (N/A) mapping with keys: ['p'] ? InstanceDict ? DocumentTemplate.DT_InSV.sequence_variables (N/A) mapping with keys: ['propertyIds'] (N/A) mapping with keys: ['document_id', 'document_title'] Target InstanceDict Target InstanceDict REQUEST ZPublisher.HTTPRequest.HTTPRequest .... problem in "_[p]". What happens here? "dtml-in" pushes the property id "title" (a string) onto the namespace stack. It is the next-to top "InstanceDict" entry. Starting with Python 2.0 (maybe 1.6), string objects have methods, among them "title". When "title" is looked up in the namespace, the "title" of the string object is found and not the one of the DTML Document. This wrong "title" method gives an "Unauthorized" exception because string objects do not participate in Zope's security mechanism. Danger Any string object on the namespace can prevent access to the "title" property. Propably only "dtml-in" and (if used wrongly) "dtml-with" are affected. Thank you Shane for the wonderfull "ZDebug". Without it, it would have been much more difficult to analyse this problem. Dieter
On Sun, 1 Jul 2001 16:15:40 +0200 (CEST), Dieter Maurer <dieter@handshake.de> wrote:
I just met the following problem caused by a misfortunate name clash between Python2.x and Zope:
The *real* problem here (IMO, and I know I am close to alone on this one ;-) is overstreaching dtml beyone what it is good for; that is trivial document templating. dtml-in is a particularly bad at polluting the dtml namespace (which is particularly serious because you have only got one of them) Toby Dickenson tdickenson@geminidataloggers.com
Toby Dickenson writes:
On Sun, 1 Jul 2001 16:15:40 +0200 (CEST), Dieter Maurer <dieter@handshake.de> wrote:
I just met the following problem caused by a misfortunate name clash between Python2.x and Zope:
The *real* problem here (IMO, and I know I am close to alone on this one ;-) is overstreaching dtml beyone what it is good for; that is trivial document templating. My task was a trivial presentation task: displaying the properties of an object...
dtml-in is a particularly bad at polluting the dtml namespace (which is particularly serious because you have only got one of them) It makes the presentation of database queries really easy....
Dieter
On Mon, 2 Jul 2001 19:29:09 +0200 (CEST), Dieter Maurer <dieter@handshake.de> wrote:
My task was a trivial presentation task: displaying the properties of an object...
From your description is looked like you were merging the properties of two objects into one report, which (IMO) is beyond my personal dander-level for dtml. dtml's simplicity comes from only having one namespace, which is only really enough for manipulating one object at a time. (Ive looked back on your original post and cant quite match up the code to your explanation, so my comments may be unjustified here. "blame dtml" has become an automatic reaction, partly because I had been burned many times by problems similar to what you describe)
dtml-in is a particularly bad at polluting the dtml namespace (which is particularly serious because you have only got one of them) It makes the presentation of database queries really easy....
Mmmm, too easy. Toby Dickenson tdickenson@geminidataloggers.com
participants (2)
-
Dieter Maurer -
Toby Dickenson