Dieter Maurer wrote:
Jeffrey Hood wrote at 2003-6-26 17:32 -0400:
I have an external method (which makes a SOAP call) which when running the test on, works and returns data as expected... however, with the following tal code: ... <table border="1" tal:define="data python:here.getRecords()['item']"> <tr tal:repeat="record data"> <td tal:content="python:record[0]">record item 1</td> ... I am getting a basic authentication box... which I don't want... and additionally, no matter if I type in a valid superuser login and password, the box just keeps coming up...
What type of object is "record"? What type is "record[i]"? Either one seems to be an instance without security declarations.
getRecords() returns: {u'item': [['1', 'Fido', '5.00'], ['2', 'Spot', '10.00'], ['4', 'Sparky', '24'], ['9', 'Buffy', '10'], ['10', 'Bobby', '50']]} (BTW, I'm a beginner with Python/Zope, so forgive me if I don't get the terminology correct...) I've been told that that is a dictionary...
Convert the "record" into a dictionary (in your External Method) or give "record[i]" the necessary security declarations (see Zope Developer Guide, for details).
If it is a dictionary, is it outside the need for security declarations? I've looked at the Guide, and don't really understand how to set permissions on a return value...
I'm guessing that there is some kind of permission problem, although I don't know why calling it via the url anonymously (http://...../getRecords) returns the same as the test... is there something that I am missing in tal to call the external method that requires setting some permissions ?
You may have encountered a security bug!
ZPublisher (more precisely "BaseResponse") converts the result into a string (calling "str"). This is done from unrestricted code. It may reveal information which is not available from restricted code (as your TAL).
Please file a bug report.
Is there any way around this problem (time is somewhat of an issue...) and is there any thing that I can return differently that would help... the external method is simply calling a webservice via SOAP, and the "default" that it is returning is the dictionary... Thanks for all of the help... JH