I have an external method (which makes a SOAP call) which when running the test on, works and returns data as expected... however, with the following tal code: ================================================= <html> <head> <title tal:content="template/title">The title</title> </head> <body> <p tal:content="here/getRecords"> </p> <table border="1" tal:define="data python:here.getRecords()['item']"> <tr tal:repeat="record data"> <td tal:content="python:record[0]">record item 1</td> <td tal:content="python:record[1]">record item 2</td> <td tal:content="python:record[2]">record item 3</td> </tr> </table> <br /> </body> </html> ================================================= I am getting a basic authentication box... which I don't want... and additionally, no matter if I type in a valid superuser login and password, the box just keeps coming up... I'm guessing that there is some kind of permission problem, although I don't know why calling it via the url anonymously (http://...../getRecords) returns the same as the test... is there something that I am missing in tal to call the external method that requires setting some permissions ? Thanks for any and all advice... JH jhood - hmcon com
Jeffrey Hood wrote at 2003-6-26 17:32 -0400:
I have an external method (which makes a SOAP call) which when running the test on, works and returns data as expected... however, with the following tal code: ... <table border="1" tal:define="data python:here.getRecords()['item']"> <tr tal:repeat="record data"> <td tal:content="python:record[0]">record item 1</td> ... I am getting a basic authentication box... which I don't want... and additionally, no matter if I type in a valid superuser login and password, the box just keeps coming up...
What type of object is "record"? What type is "record[i]"? Either one seems to be an instance without security declarations. Convert the "record" into a dictionary (in your External Method) or give "record[i]" the necessary security declarations (see Zope Developer Guide, for details).
I'm guessing that there is some kind of permission problem, although I don't know why calling it via the url anonymously (http://...../getRecords) returns the same as the test... is there something that I am missing in tal to call the external method that requires setting some permissions ?
You may have encountered a security bug! ZPublisher (more precisely "BaseResponse") converts the result into a string (calling "str"). This is done from unrestricted code. It may reveal information which is not available from restricted code (as your TAL). Please file a bug report. Dieter
Dieter Maurer wrote:
Jeffrey Hood wrote at 2003-6-26 17:32 -0400:
I have an external method (which makes a SOAP call) which when running the test on, works and returns data as expected... however, with the following tal code: ... <table border="1" tal:define="data python:here.getRecords()['item']"> <tr tal:repeat="record data"> <td tal:content="python:record[0]">record item 1</td> ... I am getting a basic authentication box... which I don't want... and additionally, no matter if I type in a valid superuser login and password, the box just keeps coming up...
What type of object is "record"? What type is "record[i]"? Either one seems to be an instance without security declarations.
getRecords() returns: {u'item': [['1', 'Fido', '5.00'], ['2', 'Spot', '10.00'], ['4', 'Sparky', '24'], ['9', 'Buffy', '10'], ['10', 'Bobby', '50']]} (BTW, I'm a beginner with Python/Zope, so forgive me if I don't get the terminology correct...) I've been told that that is a dictionary...
Convert the "record" into a dictionary (in your External Method) or give "record[i]" the necessary security declarations (see Zope Developer Guide, for details).
If it is a dictionary, is it outside the need for security declarations? I've looked at the Guide, and don't really understand how to set permissions on a return value...
I'm guessing that there is some kind of permission problem, although I don't know why calling it via the url anonymously (http://...../getRecords) returns the same as the test... is there something that I am missing in tal to call the external method that requires setting some permissions ?
You may have encountered a security bug!
ZPublisher (more precisely "BaseResponse") converts the result into a string (calling "str"). This is done from unrestricted code. It may reveal information which is not available from restricted code (as your TAL).
Please file a bug report.
Is there any way around this problem (time is somewhat of an issue...) and is there any thing that I can return differently that would help... the external method is simply calling a webservice via SOAP, and the "default" that it is returning is the dictionary... Thanks for all of the help... JH
Jeffrey Hood wrote at 2003-6-27 16:46 -0400:
...
What type of object is "record"? What type is "record[i]"? Either one seems to be an instance without security declarations.
getRecords() returns: {u'item': [['1', 'Fido', '5.00'], ['2', 'Spot', '10.00'], ['4', 'Sparky', '24'], ['9', 'Buffy', '10'], ['10', 'Bobby', '50']]}
(BTW, I'm a beginner with Python/Zope, so forgive me if I don't get the terminology correct...)
This looks harmless, although in Python instances may look like primitive data types. The easiest way to analyse any authorization problem is to install Shane's VerboseSecurity product. It should tell you precisely where the problem occurs. Dieter
participants (2)
-
Dieter Maurer -
Jeffrey Hood