Well, it didn't work. As soon as I tried to create a loop and access the .desc property of the ISLine objects, I got this message; Error Type: Unauthorized Error Value: You are not allowed to access desc in this context I guess I don't understand how or why I'm hitting this. I've already run the module that does the dangerous thing - accessing the database. All I'm getting back is a list of objects but I can't even reference the desc attribute which is just a string. I'd like to just disable the security stuff until I get things working. I don't really have time to fight with it right now. When I do put it in, it will be based on the SQL server security not on Zope's. I went to the developer guide and tried their example. I put this at the top; from AccessControl import ClassSecurityInfo After the class definition line before the first (__init__) function, I put these lines; security = ClassSecurityInfo() security.declarePublic('DefLines') I saved and reloaded everything but I still get the logon dialog. I must be close but it's just not working. I really don't understand. The work is done. All I'm trying to do is access the resulting data in the ZPT. Here are the offending lines; <tr tal:repeat="item here/GetISLines"> # The GetISLines is an external module that returns a list <td tal:content=item/desc">desc</td> # this should display the line description for each line </tr> That's it but for some unknown security reason, it blows up. P.S. I've also gone through my three other Zope books but haven't been able to find the answer. I don't mean to complain but it seems every time I think I've got it, I get whacked. I really do appreciate the help though :). -----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org]On Behalf Of Goldthwaite, Joe Sent: Monday, December 01, 2003 2:39 PM To: zope@zope.org Subject: RE: [Zope] Security? Thanks Casey, The DefLines attribute of the ISLines object was a simple list. I changed the return from "return c" to "return c.DefLines" and then modified this; <p tal:replace="python:len(here.GetISLines().DefLines)"></p> to this; <p tal:replace="python:len(here.GetISLines())"></p> And it returned I got my 75 line count in the Income Statement. I'll try creating a loop that displays the lines on the page. I had gone through the developer guide chapter on security but it's not making much sense yet. I'm going to see if I can access my line objects and I'll revisit the assertions if it doesn't work. (The line object has a method that returns a year to date number and I suspect I'll get the unauthorized method when I try to access it). Thanks again - and thanks to everyone else who answered with help. -----Original Message----- From: Casey Duncan [mailto:casey@zope.com] Sent: Monday, December 01, 2003 2:13 PM To: joe@goldthwaites.com Cc: zope@zope.org Subject: Re: [Zope] Security? These Unauthorized errors (login boxes) are caused by trying to access objects from untrusted code that do not have any Zope security assertions on them. TTW code (Python Scripts, DTML and Page Templates), including skins on the file system exposed through FS directory views, are untrusted code. They execute using a restricted Python interpreter which prevents access to arbitrary Python objects and modules that might represent a security hole (and allow you to compromise the server). There are two solutions to your problem: 1. Use trusted code, which includes external methods and zope product modules and have them return simple types (strings, ints, etc) or simple containers (lists, dicts, tuples) containing simple types up to the template that is renderign the page. Simple types are deemed safe for untrusted code by default (along with some others, like DateTime objects). 2. Put security assertions on the objects used by untrusted code. This usually requires you to subclass the objects, but not always. See the Zope developers guide for details. In most cases #1 is sufficient unless there are many places where it is desireable for untrusted code to have access to the objects directly in which case use #2. hth, -Casey On Mon, 1 Dec 2003 13:45:01 -0700 "Goldthwaite, Joe" <joe@goldthwaites.com> wrote:
Well, I don't know if it's progress but I think my questions are getting more specific.
I downloaded the mx.ODBC routines for Python 2.1.3. I can now start the python interpreter in the WebSite\bin directory and type "import mx.ODBC" without getting an error.
I next tried to create a limited python script;
from Products.EIS import ISLines c = ISLines() return "c"
I'm just returning the literal "c" on purpose because my page template can't handle the ISLines yet. In my Income Statement ZPT I have this line;
<p tal:replace="python:here.IncomeStatementScript()"></p>
When I try to display the ZPT, I get the Zope logon dialog box. I only have one login and it doesn't' work so I just hit cancel and get "Your are not allowed to access EIS in this context". (I had placed the ISLines.py file in my Products/EIS directory.)
After that, I decided to try external modules. I added this wrapper function to my ISLines.py module;
def GetISLines(): c = ISLines() return "c"
Again, I put the literal "c" there to make sure I was calling things correctly. I moved the ISLines.py file to the Extensions directory and created a GetISLines external method referencing the new function in Zope root folder. I tested it and got the "c" back. Next, I put this line in my IncomeStatment ZPT;
<p tal:replace="python:here.GetISLines()"></p>
When I test it, I get the "c" back. Interestingly, there was also pause of about the amount of time it takes to run ISLines and build the Income Statement lines. I thought I was almost there. The next step was to return the actual object and print out the number of lines returned. I modified the 'return "c"' line to 'return c'. Now when I run it, I get "<? ISLines instance at 014879EC>" so I know I'm now returning my object. Finally I try to reference my list if lines by printing the length like this;
<p tal:replace="python:len(here.GetISLines().DefLines)"></p>
Deflines is a list of income statement line objects. I go to refresh and I get the Logon dialog again! #$%@ &@#% &^@$!!!! Sorry, I don't usually use that kind of language but I seem to be shooting at the wrong target. It's no wonder I can't hit anything.
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )