Hi, I have change my zope version, zope 2.7 to zope 2.9. In zope 2.7 I have some python script that run very well. But in zope 2.9 theses scripts don't run. This script use the parameter in url send with a checkbox form. I have exactly the same code in zope2.7 and zope2.9. :s In zope 2.9 I have this error message : --------------------------------------------------------------------------- Type de l'erreur TypeError Valeur de l'erreur Augmented assignment to And objects is not allowed in untrusted code Requête envoyée au serveur le 2007/06/04 10:18:18.412 GMT+2 --------------------------------------------------------------------------- --------------------------------------------------------------------------- My python script : --------------------------------------------------------------------------- from Products.PythonScripts.standard import html_quote from Products.AdvancedQuery import Eq, And, Or request = container.REQUEST RESPONSE = request.RESPONSE query = And(Eq('portal_type', 'J_Product')) query &= Eq('review_state', 'published') query2 = Or() if type1 != None: query2 |= Eq('getJ_product_type', int(1)) if type2 != None: query2 |= Eq('getJ_product_type', int(2)) if type3 != None: query2 |= Eq('getJ_product_type', int(3)) if type4 != None: query2 |= Eq('getJ_product', int(4)) if type5 != None: query2 |= Eq('getJ_product', int(5)) if type6 != None: query2 |= Eq('getJ_product', int(6)) if type1 != None or type2 != None or type3 != None or type4 != None or type5 != None or type6 != None : query &= query2 resultat_association = context.portal_catalog.evalAdvancedQuery(query) sort_on_pr = (("Title","strcoll_nocase","asc"),) tri_product =sequence.sort(resultat_product, sort_on_pr) return tri_product ---------------------------------------------------------------------------------- Thanks, Julian
The event.log ---------------------------------------------------------------------------- 2007-06-04T10:18:18 ERROR Zope.SiteErrorLog http://test.home.com/directory/sub_directory/liste_product Traceback (innermost last): Module ZPublisher.Publish, line 115, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 41, in call_object Module Shared.DC.Scripts.Bindings, line 311, in __call__ Module Shared.DC.Scripts.Bindings, line 348, in _bindAndExec Module Products.PageTemplates.ZopePageTemplate, line 255, in _exec Module Products.PageTemplates.PageTemplate, line 104, in pt_render - <ZopePageTemplate at /SITES/my_site/directory1/sub_directory1/liste_product> Module TAL.TALInterpreter, line 238, in __call__ Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 749, in do_useMacro Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 457, in do_optTag_tal Module TAL.TALInterpreter, line 442, in do_optTag Module TAL.TALInterpreter, line 437, in no_tag Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 780, in do_defineSlot Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 457, in do_optTag_tal Module TAL.TALInterpreter, line 442, in do_optTag Module TAL.TALInterpreter, line 437, in no_tag Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 728, in do_defineMacro Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 772, in do_defineSlot Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 728, in do_defineMacro Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 507, in do_setLocal_tal Module Products.PageTemplates.TALES, line 221, in evaluate - URL: /SITES/my_site/directory1/sub_directory1/liste_product - Line 7, Column 6 - Expression: <PythonExpr here.getProduct(type1=type1, type2=type2, type3=type3, type4=type4, type5=type5, type6=type6 )> - Names: {'container': <ATFolder at /SITES/my_site/directory1/sub_directory1>, 'context': <ATFolder at /SITES/my_site/directory1/sub_directory1>, 'default': <Products.PageTemplates.TALES.Default instance at 0xb6fbb66c>, 'here': <ATFolder at /SITES/my_site/directory1/sub_directory1>, 'loop': <Products.PageTemplates.TALES.SafeMapping object at 0xaffdf90c>, 'modules': <Products.PageTemplates.ZRPythonExpr._SecureModuleImporter instance at 0xb706dd2c>, 'nothing': None, 'options': {'args': ()}, 'repeat': <Products.PageTemplates.TALES.SafeMapping object at 0xaffdf90c>, 'request': <HTTPRequest, URL=http://test.home.com/directory/sub_directory/liste_product>, 'root': <Application at >, 'template': <ZopePageTemplate at /SITES/my_site/directory1/sub_directory1/liste_product>, 'traverse_subpath': [], 'user': <SpecialUser 'Anonymous User'>} Module Products.PageTemplates.ZRPythonExpr, line 47, in __call__ - __traceback_info__: here.getProduct(type1=type1, type2=type2, type3=type3, type4=type4, type5=type5, type6=type6) Module Python expression "here.getProduct(type1=type1, type2=type2, type3=type3, type4=type4, type5=type5, type6=type6) ", line 1, in <expression> Module Shared.DC.Scripts.Bindings, line 311, in __call__ Module Shared.DC.Scripts.Bindings, line 348, in _bindAndExec Module Products.PythonScripts.PythonScript, line 325, in _exec Module None, line 8, in getProduct - <PythonScript at /SITES/my_site/directory1/sub_directory1/getProduct> - Line 8 Module AccessControl.ZopeGuards, line 478, in protected_inplacevar TypeError: Augmented assignment to And objects is not allowed in untrusted code
julian wrote at 2007-6-4 10:34 +0200:
The event.log ... Module None, line 8, in getProduct - <PythonScript at /SITES/my_site/directory1/sub_directory1/getProduct> - Line 8 Module AccessControl.ZopeGuards, line 478, in protected_inplacevar TypeError: Augmented assignment to And objects is not allowed in untrusted code
Someone introduced a new security mechanism between Zope 2.8 and Zope 2.9: Inplace operations (such as "&=") are only allowed for "list" and "set". The implementer did not realize that there are situation when such inplace operations should be allowed -- as for e.g. "AdvancedQuery.And". They did not provide for any declarations that would allow this. Consequence: Until Zope is fixed, "AdvancedQuery" can do nothing that "&=" and "|=" and friends work in untrusted code. You have already found a workaround: "x &= y" is very similar to "x = x & y". It is slightly less efficient (not an issue in this case) and it does not affect other bindings of "x". -- Dieter
----- Original Message ----- From: "julian" <jules12af@aol.com> To: <zope@zope.org> Sent: Monday, June 04, 2007 4:24 AM Subject: [Zope] Problem Augmented assignment
I have change my zope version, zope 2.7 to zope 2.9. In zope 2.7 I have some python script that run very well. But in zope 2.9 theses scripts don't run. This script use the parameter in url send with a checkbox form. I have exactly the same code in zope2.7 and zope2.9. :s
In zope 2.9 I have this error message : --------------------------------------------------------------------------- Type de l'erreur TypeError Valeur de l'erreur Augmented assignment to And objects is not allowed in untrusted code Requête envoyée au serveur le 2007/06/04 10:18:18.412 GMT+2 ---------------------------------------------------------------------------
A quick fix would be to move the code from your python script to an external method. Jonathan
A quick fix would be to move the code from your python script to an external method.
Ok,thanks, but how can I call this external method in a page template. In a first page I have a form that submit 6 parameter in url. The second page must call the "external method" or python script(don't run) and with the method sort of python I make a search in portal_catalog. Julian
A quick fix would be to move the code from your python script to an external method.
Ok,thanks, but how can I call this external method in a page template. In a first page I have a form that submit 6 parameter in url. The second page must call the "external method" or python script(don't run) and with the method sort of python I make a search in portal_catalog. If I'm not wrong this should work as with normal python scripts:
python:context.myExtMethod(par1,par2,...) You just have to define your parameters inside the external method and your script must be in the acquisition path of the template where you are calling it. Regards Josef
In fact it's a problem of AdvancedQuery : TypeError: Augmented assignment to And objects is not allowed in untrusted code If I don't write query = And(), there are no errors. But I want the function And :s . My code : ---------------------------------------------------------- query = And() query &= Eq('portal_type', 'J_Product') query &= Eq('review_state', 'published') query2 = Or() if type1 != None: query2 |= Eq('getJ_product_type', int(1)) if type2 != None: query2 |= Eq('getJ_product_type', int(2)) if type3 != None: query2 |= Eq('getJ_product_type', int(3)) if type4 != None: query2 |= Eq('getJ_product_type', int(4)) if type5 != None: query2 |= Eq('getJ_product_type', int(5)) if type6 != None: query2 |= Eq('getJ_product_type', int(6)) if type1 != None or type2 != None or type3 != None or type4 != None or type5 != None or type6 != None : query &= query2 resultat_product= context.portal_catalog.evalAdvancedQuery(query) sort_on_pr = (("Title","strcoll_nocase","asc"),) tri_association =sequence.sort(resultat_product, sort_on_pr) return tri_product ---------------------------------------------------------------------- Thanks, Julian
julian schrieb:
In fact it's a problem of AdvancedQuery : TypeError: Augmented assignment to And objects is not allowed in untrusted code
If I don't write query = And(), there are no errors. But I want the function And :s . Does this also happens when you make an external method? It seems that you were still trying to run a python script.
My code : [Snip...]
I haven't work with this kind of sql queries, so I can tell you if something is wrong there. Best regards Josef
I have resolve my problem. It's very odd. It's the place of the operator... query &= Eq('portal_type', 'J_Product') query &= Eq('review_state', 'published') I replace this by : query = query & Eq('portal_type', 'J_Product') query = query & Eq('review_state', 'published') It's work :)
participants (4)
-
Dieter Maurer -
Jonathan -
Josef Meile -
julian