DTML sqltest tag and python expr. Bug in Zope Book?
Hello everyone, I was recently working on a quite big ZSQL method (around 100 lines). I was using only <dtml-if> and <dtml-sqlvar> tags and a lot of "like '%...%'", so thought I could make things look much nicer using <dtml-sqlgroup> and <dtml-sqltest ... op="like" optional>. But I ran into a big hurdle: I quickly searched through the archive and found the thread "[Zope-dev] ZSQL using LIKE operator", and in particular: http://lists.zope.org/pipermail/zope-dev/2001-February/009339.html which is exactly what I would like to do. But unfortunately, <dtml-sqltest "..."> does not seem to work. We get the following error: " The "..." shorthand for expr was used in a tag that doesn't support expr attributes., for tag <dtml-sqltest [...] " I checked sqltest.py (Zope 2.3.2): no support for python expr in there. Interestingly, the Zope Book mentions the use of python expressions with sqltest in its DTML Reference: http://www.zope.org/Members/michel/ZB/AppendixA.dtml Is there a patched sqltest.py that I don't know about or is this a bug in the book? Anyway, does anyone know of a good reason why the sqlvar tag supports python expr while sqltest does not? Some obscure security hole? Or is the functionality just missing? And in that case, is anyone up for a patch? It's not critical, but the following kind of defeats the purpose of sqlgroup: <dtml-sqlgroup where required> <dtml-if title> title like <dtml-sqlvar "'%%%s%%' % title" type="string"> </dtml-if> <dtml-and> <dtml-if author> title like <dtml-sqlvar "'%%%s%%' % author" type="string"> </dtml-if> </dtml-sqlgroup> The following would be much nicer: <dtml-sqlgroup where required> <dtml-sqltest "'%%%s%%' % title" op="like" type="string" optional> <dtml-and> <dtml-sqltest "'%%%s%%' % author" op="like" type="string" optional> </dtml-sqlgroup> Note: in this particular case, I could preprocess the variables and add the surrounding wildcards in the call to the ZSQL method. But that would restrict the way this method can be called (URL traversal is definitively a cool feature to impress newbies ;) ), and that's not the point here anyway: we would just like python expressions in sqltest tags. Cheers, -- Yves-Eric MARTIN yemartin@yve.net
Yves-Eric Martin writes:
But unfortunately, <dtml-sqltest "..."> does not seem to work. We get the following error:
" The "..." shorthand for expr was used in a tag that doesn't support expr attributes., for tag <dtml-sqltest [...] " I expect that "dtml-sqltest" does not support the "expr" attribute due to its "optional".
It is not easy to define the semantics of "optional" for arbitrary expressions. Your example seems to suggests, that you would like the tag to be omitted, when the expression raise a NameError. But, in fact, it is not clear whether this is anticipated by "optional" or a serious problem (maybe deep in the expression) that should be reported. Dieter
On Thu, 28 Jun 2001 22:42:13 +0200 (CEST) Dieter Maurer <dieter@handshake.de> wrote:
I expect that "dtml-sqltest" does not support the "expr" attribute due to its "optional".
It is not easy to define the semantics of "optional" for arbitrary expressions.
True, but you already found a possible answer:
Your example seems to suggests, that you would like the tag to be omitted, when the expression raise a NameError. But, in fact, it is not clear whether this is anticipated by "optional" or a serious problem (maybe deep in the expression) that should be reported.
To overcome that problem, I think it would make sense to treat the "optional" like this: when the expression raises a NameError, if the variable name that caused the error is an expected argument of the ZSQLMethod, then this argument was not provided, so do not render the sqltest tag. Otherwise, we have a real error. In a pythonish algorithm, that would look like this: try: renderedExpr = eval(expr) except NameError, varName: if varName in ZSQLMethodArguments: # "optional" behavior for missing variable pass else: # We have a real error raise NameError, varName else: # render sqltest tag ... Do you think that makes sense? -- Yves-Eric Martin yemartin@yve.net
Yves-Eric Martin writes:
I expect that "dtml-sqltest" does not support the "expr" attribute due to its "optional".
It is not easy to define the semantics of "optional" for arbitrary expressions. .... To overcome that problem, I think it would make sense to treat the "optional" like this: when the expression raises a NameError, if the variable name that caused the error is an expected argument of the ZSQLMethod, then this argument was not provided, so do not render the sqltest tag. Otherwise, we have a real error. In a pythonish algorithm, that would look like this:
try: renderedExpr = eval(expr) except NameError, varName: if varName in ZSQLMethodArguments: # "optional" behavior for missing variable pass else: # We have a real error raise NameError, varName else: # render sqltest tag ...
Do you think that makes sense? If I were a purist, I would answer: no.
The name error could come from a nested call that incidentally uses the same name for a variable as a request argument. If I were a Zope maintainer, I would answer: no. The feature is rarely used and if it is, there is a way to do it with existing DTML means: As you demonstrated: <dtml-if XXX> <dtml-sqltest ...> </dtml-if> does work, although it is not really nice -- but not too bad, either. If I would need this feature extensively, I would privately enhance Zope as necessary. I learned yesterday, how to use "cvs import/checkout/update" to keep such private enhancements across Zope upgrades. But your point was: The feature is used in the Zope book, thus, apparently, it was useful. The question: "why not implement the feature rather than change the book". Maybe, DC says something about this.... Dieter
On Sat, 30 Jun 2001 11:41:57 +0200 (CEST) Dieter Maurer <dieter@handshake.de> wrote:
If I were a purist, I would answer: no.
The name error could come from a nested call that incidentally uses the same name for a variable as a request argument.
Granted. But I have just been thinking: the dtml-var tag does support python expressions. And its "missing" attribute is quite similar to the "optional" of dtml-sqltest, don't you think? The "missing" attribute works only when a variable name is provided. It has no effect on python expression: if noVar is not defined: <dtml-var noVar missing=""> returns nothing, <dtml-var "noVar" missing=""> raises a NameError. So for consistency, we can do the same with the dtml-sqltest tag: it would accept python expression, and the "optional" would work only with variable names, not python expressions.
If I were a Zope maintainer, I would answer: no.
The feature is rarely used and if it is, there is a way to do it with existing DTML means:
Well, of course it is not being used much, since it is not implemented... ;o) Anyway, I guess it all depends on what you use Zope for. As far as I am concerned, many of the Zope projects I have been involved in included heavy database queries. So I used that "feature" (with the workarounds we described) quite a lot.
But your point was: The feature is used in the Zope book, thus, apparently, it was useful. The question: "why not implement the feature rather than change the book".
Exactly. I think that this feature should be implemented for: o consistency with other tags, o consistency with the Zope Book (DTML *REFERENCE*!) o and its usefulness to people like me ;)
Maybe, DC says something about this....
Cheers! -- Yves-Eric Martin yemartin@yve.net
participants (3)
-
Dieter Maurer -
Yves-Eric Martin -
Yves-Eric Martin