Christopher N. Deckard wrote:
We recently upgraded to 2.6.4, and are now having a problem with our custom UserFolder Product. I've narrowed everything down to a few methods, but am at a loss on how to fix it.
In our UserFolder User class, we have overridden getRolesInContext to look for a Python Script (we call it an "authorize script"), in parent folders of the published object. It then calls each script to programatically add roles at runtime. This works great with Zope 2.6.2. I have noticed that in Zope 2.6.4 the method Bindings._getContext in Shared/DC/Scripts/Bindings.py has new validate code in it. I believe this is what is causing the problem for us.
What is strange is that this is only a problem when using ExternalEditor, and when the container of the object we are trying to edit contains an "authorize script". From the ZMI there are no problems, and from folders under the folder with the "authorize script" there are no problems editing with ExternalEditor.
Any help would be appreciated. Below is our code, and the two _getContext implementations for quicker reference.
The recursion problem stems from the fact that the new bindings machinery wants to ensure that the user has roles for the context before binding it, but you need the script to run to determine whether the user has roles. The older code created a nasty security issue for sites which made it possible for untrusted users to write PythonScripts. I don't know that this will work, but try giving the script proxy role of 'Manager'; if that works, then you are set. If it doesn't work, then I believe you need to look at converting your PythonScripts to instances of a "tool" class which can run the check as trusted code. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com