Hi Phil, Defining classes in external methods is... an interesting experience. I don't recommend it. It gets tricky because the file that external methods are defined in isn't actually a Python module, so interpreting the behavior is hard. That said, the security chapter of the developer's guide goes in to this a little (http://www.zope.org/Documentation/ZDG/Security.dtml). The problem is that the instances you're putting in the array don't have any security declarations, therefore access to them is denied (raising the unauthorized). The fix for this is to add security declarations to the class, e.g (untested): from AccessControl import ClassSecurityInfo from Globals import InitializeClass class c: security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def __init__(self,a): self.score=a self.test=a*a def t(self): retval=[] for a in range(1,10): inst = c(a) if not hasattr( InitializeClass(c) # its dumb to do this every time. retval.append(c(a)) return retval If this doesn't work for some reason (setDefaultAccess was broken in at least one Zope release), try to define the class c like so: class c: __allow_access_to_unprotected_subobjects__ = 1 def __init__(self,a): self.score=a self.test=a*a ----- Original Message ----- From: Phil Harris To: zope@zope.org Sent: Wednesday, May 09, 2001 10:08 AM Subject: [Zope] Security Problems? All, I've got a sneaking suspicion that there are some security problems in Zope 2.3.x. I've been trying to make a simple testcase and would like other (better) minds than mine to look at it. I have an external method which looks like: class c: def __init__(self,a): self.score=a self.test=a*a def t(self): retval=[] for a in range(1,10): retval.append(c(a)) return retval The class 'c' is a very simple class, it has no methods and only two attributes/properties 'score' and 'test'. The external method 't' is also very simple, it just returns an array of class 'c'. The dtml-method I'm using to access this array is as follows: <dtml-var standard_html_header> <dtml-in t> <dtml-var "_['sequence-item'].score"> </dtml-in> <dtml-var standard_html_footer> Nothing earth shattering there either. BUT, I get an unauthorized error raised with this traceback whenever I run this dtml-method: (note that a authentication login box is presented but NO user name is able to authenticate) Traceback (innermost last): File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in publish_module File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in renderwob (Object: t) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in eval (Object: _['sequence-item'].score) (Info: _) File <string>, line 0, in ? File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate (Object: index_html) File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in validate File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in validate Unauthorized: score All of this is run on a bog standard install of Zope 2.3.2 with no other products installed, no security changes done, REALLY bog standard. Anyone got any ideas? Cos this is doin my f'in ed in man?!?!?!?!?!? Phil phil.harris@zope.co.uk