[BlueBream] Strange effect with @@view calling

Marius Gedminas marius at gedmin.as
Wed Mar 31 09:31:50 EDT 2010


Hi!

On Wed, Mar 31, 2010 at 03:02:07AM +0200, Dr. Volker Jaenisch wrote:
> Currently I got a strange effect calling a view in my bluebream project.
> 
> A) If I call it like this http://../engine/index
> it works without problems .
> 
> B) If I call it like this http://../engine/@@index
> I got a stacktrace which ends in a forbiddenAttribute error.

That is indeed strange.

> The view itself is trivial:
> 
> class BookingEngineDefaultView(BrowserView):
>     """Default view for a booking engine"""
> 
>     def update(self):
>         import pdb; pdb.set_trace()
> 
> Suppose the following Model
> zope-root -> engine -> Product
> where Product has an attribute "name".
> 
> The view just uses a pagetemplate that does:
> 
>      <li tal:repeat="products context/values">
>       <a tal:attributes="href products/@@absolute_url"
>          tal:content="python:products.name">Name</a>
> 
> In Case B) the following stacktrace results:
> 
> *Line 10, Column 6*
> *In expression: <PythonExpr (products.name)>*
...
> *ForbiddenAttribute: ('name', <inqbus.booking.classes.product.Product 
> object at 0xa35c5cc>)*
> 
> 
> I am wondering:
> * Why do the similiar URLs that lead to the same view (prooved by pdb)
> with the same principal (zope.Manager, prooved by pdb) lead to different 
> results.

Is view.context the same in both cases?

Is it security-proxied in both cases?  (Check by looking at
type(self.context) in pdb.)

> * How could it be, that a forbiddenAttribute error is raised if I work 
> as Zope.Manager that has
> a grantAll Permission.

ForbiddenAttribute means that *nobody*, not even mangers, can access
that attribute.  It's raised whenever you don't have the appropriate

  <class class="...Product">
    <require permission="..." interface=.../attributes=... />
  </class>

in your ZCML.

> My guess is, that the B) URL results in a more paranoid security 
> checking than the A) URL.

Apparently, but why?

I really want to know how the view context differs in those two cases.

> But if this is the case, is this behavior the correct one?

If you truly haven't defined the permissions for the Product class in
your ZCML, then yes, the exception is supposed to happen.

> Any hints welcome. In the appendix you find the relevant ZCML

It lists only views, no <class> directives in sight.

Marius Gedminas
-- 
#define QUESTION ((bb) || !(bb)) /* Shakespeare */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://mail.zope.org/pipermail/bluebream/attachments/20100331/03370606/attachment-0001.bin 


More information about the bluebream mailing list