Jeffrey Hood wrote at 2003-6-26 17:32 -0400:
I have an external method (which makes a SOAP call) which when running the test on, works and returns data as expected... however, with the following tal code: ... <table border="1" tal:define="data python:here.getRecords()['item']"> <tr tal:repeat="record data"> <td tal:content="python:record[0]">record item 1</td> ... I am getting a basic authentication box... which I don't want... and additionally, no matter if I type in a valid superuser login and password, the box just keeps coming up...
What type of object is "record"? What type is "record[i]"? Either one seems to be an instance without security declarations. Convert the "record" into a dictionary (in your External Method) or give "record[i]" the necessary security declarations (see Zope Developer Guide, for details).
I'm guessing that there is some kind of permission problem, although I don't know why calling it via the url anonymously (http://...../getRecords) returns the same as the test... is there something that I am missing in tal to call the external method that requires setting some permissions ?
You may have encountered a security bug! ZPublisher (more precisely "BaseResponse") converts the result into a string (calling "str"). This is done from unrestricted code. It may reveal information which is not available from restricted code (as your TAL). Please file a bug report. Dieter