Object permissions in External Methods
I'm not quite sure how to do this, and the documentation that I have been browsing through hasn't been all that helpful, so I hope someone out here can help me with this seemingly simple situation. I want to read an XML file (currently read as a textfile, but will be passed as a parameter) and then change it into a Python Object where one can then dtml-in through the Heirarchy of the Document... this is what I have... -- import gnosis.xml.objectify as xp from AccessControl import ClassSecurityInfo from Acquisition import Implicit import Globals def xml_to_py(self): object = xp.XML_Objectify('/tmp/sample.xml') returning = object._PyObject return (returning) -- Whenever I run this, I keep getting an unauthorized error with no acceptable login correcting this. I've run into this before, but it was only fixed when I redefined an object that I have created before, not something that is pushed out from a library like this. Suggestions? Jason __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
You need to put "security declarations" on the instance that you return for it to be able to be used by "untrusted code" like DTML and Python scripts. For more info, see the Zope developer's guide security chapter at http://www.zope.org/Documentation/ZDG/Security.stx . ----- Original Message ----- From: "J. Joy" <kyroraz@yahoo.com> To: <zope@zope.org> Sent: Monday, July 08, 2002 5:25 PM Subject: [Zope] Object permissions in External Methods
I'm not quite sure how to do this, and the documentation that I have been browsing through hasn't been all that helpful, so I hope someone out here can help me with this seemingly simple situation.
I want to read an XML file (currently read as a textfile, but will be passed as a parameter) and then change it into a Python Object where one can then dtml-in through the Heirarchy of the Document... this is what I have...
-- import gnosis.xml.objectify as xp from AccessControl import ClassSecurityInfo from Acquisition import Implicit import Globals
def xml_to_py(self): object = xp.XML_Objectify('/tmp/sample.xml') returning = object._PyObject
return (returning) --
Whenever I run this, I keep getting an unauthorized error with no acceptable login correcting this. I've run into this before, but it was only fixed when I redefined an object that I have created before, not something that is pushed out from a library like this.
Suggestions?
Jason
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Thanks Chris, But every example that I have seen thus far has the method enclosed in a class. I'm not quite sure how to call these methods in the classes from a External Method screen, so that I can call it. I've tried Class.Method, but it doesn't seem to want to do that, e.g. --- import gnosis.xml.objectify as xp from AccessControl import ClassSecurityInfo from Acquisition import Implicit import Globals ## Security Lines here in regards to Class Foo Class Foo(Implicit): def xml_to_py(self): object = xp.XML_Objectify('/tmp/sample.xml') returning = object._PyObject return (returning) --- Any ideas? Jason
--
--- Chris McDonough <chrism@zope.com> wrote:
You need to put "security declarations" on the instance that you return for it to be able to be used by "untrusted code" like DTML and Python scripts. For more info, see the Zope developer's guide security chapter at http://www.zope.org/Documentation/ZDG/Security.stx .
----- Original Message ----- From: "J. Joy" <kyroraz@yahoo.com> To: <zope@zope.org> Sent: Monday, July 08, 2002 5:25 PM Subject: [Zope] Object permissions in External Methods
I'm not quite sure how to do this, and the documentation that I have been browsing through hasn't been all that helpful, so I hope someone out here can help me with this seemingly simple situation.
I want to read an XML file (currently read as a textfile, but will be passed as a parameter) and then change it into a Python Object where one can then dtml-in through the Heirarchy of the Document... this is what I have...
-- import gnosis.xml.objectify as xp from AccessControl import ClassSecurityInfo from Acquisition import Implicit import Globals
def xml_to_py(self): object = xp.XML_Objectify('/tmp/sample.xml') returning = object._PyObject
return (returning) --
Whenever I run this, I keep getting an unauthorized error with no acceptable login correcting this. I've run into this before, but it was only fixed when I redefined an object that I have created before, not something that is pushed out from a library like this.
Suggestions?
Jason
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
You need to make security declarations on the *returned object* (which in this case is "object._PyObject". I dont have any idea what this is but what you probably want to do is return an instance of a class which has security declarations that *wraps* this object's methods. ----- Original Message ----- From: "J. Joy" <kyroraz@yahoo.com> To: "Chris McDonough" <chrism@zope.com>; <zope@zope.org> Sent: Tuesday, July 09, 2002 1:41 PM Subject: Re: [Zope] Object permissions in External Methods
Thanks Chris,
But every example that I have seen thus far has the method enclosed in a class. I'm not quite sure how to call these methods in the classes from a External Method screen, so that I can call it.
I've tried Class.Method, but it doesn't seem to want to do that, e.g.
---
import gnosis.xml.objectify as xp from AccessControl import ClassSecurityInfo from Acquisition import Implicit import Globals
## Security Lines here in regards to Class Foo
Class Foo(Implicit):
def xml_to_py(self): object = xp.XML_Objectify('/tmp/sample.xml') returning = object._PyObject
return (returning)
---
Any ideas?
Jason
--
--- Chris McDonough <chrism@zope.com> wrote:
You need to put "security declarations" on the instance that you return for it to be able to be used by "untrusted code" like DTML and Python scripts. For more info, see the Zope developer's guide security chapter at http://www.zope.org/Documentation/ZDG/Security.stx .
----- Original Message ----- From: "J. Joy" <kyroraz@yahoo.com> To: <zope@zope.org> Sent: Monday, July 08, 2002 5:25 PM Subject: [Zope] Object permissions in External Methods
I'm not quite sure how to do this, and the documentation that I have been browsing through hasn't been all that helpful, so I hope someone out here can help me with this seemingly simple situation.
I want to read an XML file (currently read as a textfile, but will be passed as a parameter) and then change it into a Python Object where one can then dtml-in through the Heirarchy of the Document... this is what I have...
-- import gnosis.xml.objectify as xp from AccessControl import ClassSecurityInfo from Acquisition import Implicit import Globals
def xml_to_py(self): object = xp.XML_Objectify('/tmp/sample.xml') returning = object._PyObject
return (returning) --
Whenever I run this, I keep getting an unauthorized error with no acceptable login correcting this. I've run into this before, but it was only fixed when I redefined an object that I have created before, not something that is pushed out from a library like this.
Suggestions?
Jason
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Okay... I've given this a few tries, but I can't quite seem to nail it down. I can get to the initial object, but anything deeper and I run into more access restrictions. It seems to be copying a reference rather than the material, so I might have to find a way to explicitly copy the data from the one object to the other as equals doesn't seem to be the way to do it. This is what I have thus far: --- import gnosis.xml.objectify as xp from AccessControl import ClassSecurityInfo from Acquisition import Implicit import Globals class Container(Implicit): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') security.declarePublic('xml_to_py') def xml_to_py(self): object = xp.XML_Objectify('/tmp/sample.xml') returning = object._PyObject ## Here is one idea I had, put it into a object like info and then return it, didn't work so well... info = [] transport = Container() info.append(returning) return (returning) def xml_to_py(self): Globals.InitializeClass(Container) xml_transport = Container() print dir(xml_transport.xml_to_py()) print dir(xml_transport.xml_to_py().UserRequest) return (xml_transport.xml_to_py().UserRequest) Globals.InitializeClass(Container) --- I've gone though the security documents, but I don't seem to be able to find anything special about unsecuring such a issue specific to this case. --- Chris McDonough <chrism@zope.com> wrote:
You need to make security declarations on the *returned object* (which in this case is "object._PyObject". I dont have any idea what this is but what you probably want to do is return an instance of a class which has security declarations that *wraps* this object's methods.
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
Your Python code indentation did not make it successfully through email so I can only guess what the code really means. But here's a more verbose description of a solution with an entirely separate set of domain objects. Say you have an object that you want to return that cannot be protected with security declarations (perhaps attributes cant be set on it because it's an instance of a C-defined type that doesn't have a setattr), call this "foo". Say that it has methods "getOne" and "getTwo" that you want to use in TTW code. Say that getOne and getTwo don't return "complex" objects (instances), but normal Python objects like strings (which dont need their own security declarations): You would define a wrapper class in your external method like so: class FooWrapper: security = ClassSecurityInfo() security.declareObjectPublic() def __init__(self, real_foo): self.real_foo = real_foo security.declarePublic('getOne') def getOne(self): return self.real_foo.getOne() security.declarePublic('getTwo') def getTwo(self): return self.real_foo.getTwo() Globals.Initialize(FooWrapper) And an external method to make use of the wrapper would look something like: def getAFoo(self, name): import foo inst = foo.foo(name) return FooWrapper(inst) As long as getOne and getTwo return "basic" python types this wrapper will work. If the methods return instances, classes, or anything that is not a string, list, dict, or tuple, you will not be able to do anything with the return values due to the security machinery. There are ways around this (namely, setting an attribute on a returned instance called "__allow_access_to_unprotected_subobjects__"), but if you're going to go this far it'd probably be better to use an external method. - c ----- Original Message ----- From: "J. Joy" <kyroraz@yahoo.com> To: "Chris McDonough" <chrism@zope.com>; <zope@zope.org> Sent: Tuesday, July 09, 2002 3:40 PM Subject: Re: [Zope] Object permissions in External Methods with XML
Okay... I've given this a few tries, but I can't quite seem to nail it down. I can get to the initial object, but anything deeper and I run into more access restrictions. It seems to be copying a reference rather than the material, so I might have to find a way to explicitly copy the data from the one object to the other as equals doesn't seem to be the way to do it.
This is what I have thus far:
---
import gnosis.xml.objectify as xp from AccessControl import ClassSecurityInfo from Acquisition import Implicit import Globals
class Container(Implicit): security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') security.declarePublic('xml_to_py')
def xml_to_py(self):
object = xp.XML_Objectify('/tmp/sample.xml') returning = object._PyObject
## Here is one idea I had, put it into a object like info and then return it, didn't work so well... info = [] transport = Container() info.append(returning)
return (returning)
def xml_to_py(self):
Globals.InitializeClass(Container)
xml_transport = Container() print dir(xml_transport.xml_to_py()) print dir(xml_transport.xml_to_py().UserRequest) return (xml_transport.xml_to_py().UserRequest)
Globals.InitializeClass(Container)
---
I've gone though the security documents, but I don't seem to be able to find anything special about unsecuring such a issue specific to this case.
--- Chris McDonough <chrism@zope.com> wrote:
You need to make security declarations on the *returned object* (which in this case is "object._PyObject". I dont have any idea what this is but what you probably want to do is return an instance of a class which has security declarations that *wraps* this object's methods.
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
participants (2)
-
Chris McDonough -
J. Joy