Tres Seaver wrote:
Christopher N. Deckard wrote:
We recently upgraded to 2.6.4, and are now having a problem with our custom UserFolder Product. I've narrowed everything down to a few methods, but am at a loss on how to fix it.
In our UserFolder User class, we have overridden getRolesInContext to look for a Python Script (we call it an "authorize script"), in parent folders of the published object. It then calls each script to programatically add roles at runtime. This works great with Zope 2.6.2. I have noticed that in Zope 2.6.4 the method Bindings._getContext in Shared/DC/Scripts/Bindings.py has new validate code in it. I believe this is what is causing the problem for us.
What is strange is that this is only a problem when using ExternalEditor, and when the container of the object we are trying to edit contains an "authorize script". From the ZMI there are no problems, and from folders under the folder with the "authorize script" there are no problems editing with ExternalEditor.
Any help would be appreciated. Below is our code, and the two _getContext implementations for quicker reference.
The recursion problem stems from the fact that the new bindings machinery wants to ensure that the user has roles for the context before binding it, but you need the script to run to determine whether the user has roles. The older code created a nasty security issue for sites which made it possible for untrusted users to write PythonScripts.
I don't know that this will work, but try giving the script proxy role of 'Manager'; if that works, then you are set.
If it doesn't work, then I believe you need to look at converting your PythonScripts to instances of a "tool" class which can run the check as trusted code.
Tres.
While setting the proxy role of 'Manager' does make things work for us, I'm confused as to why this is necessary. (Also, setting proxy role of 'Anonymous' works just fine too.) Why is accessing an object different in the context of ExternalEditor compared to that of accessing it through the ZMI. If I have a structure like: / /FOO /FOO/authorize /FOO/bar I can edit bar just fine through the ZMI, but not through ExternalEditor. I don't understand why there should be a difference here. /FOO/authorize still has to be called by our UserFolder, whether it be from the ZMI or EE. Thanks, -Chris -- -------------------------------------------------------------------- Christopher N. Deckard | Lead Web Systems Developer cnd@ecn.purdue.edu | Engineering Computer Network http://eng.purdue.edu/ECN/ | Purdue University ---- zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)"\005w') ---