[ZCM] [ZC] 77/ 2 Resolve "allow_module in Zope2.5b2"

Collector: Zope Bugs and Patches ... zope-coders@zope.org
Fri, 15 Feb 2002 14:02:53 -0500 

Issue #77 Update (Resolve) "allow_module in Zope2.5b2"
 Status Resolved, Zope/bug medium
To followup, visit:
  http://collector.zope.org/Zope/77

==============================================================
= Resolve - Entry #2 by evan on Feb 15, 2002 2:02 pm

 Status: Pending => Resolved

This should be fixed in 2.5.  The best way (apart from inline declarations in Formulator) to declare the security is the following:

from AccessControl import ModuleSecurityInfo, allow_class
ModuleSecurityInfo('Products.Formulator').declarePublic('StringField')
ModuleSecurityInfo('Products.Formulator.Form').declarePublic(
 'FormValidationError', 'BasicForm')
from Products.Formulator.StandardFields import StringField
from Products.Formulator.Form import FormValidationError, BasicForm
allow_class(StringField)
allow_class(FormValidationError)
allow_class(BasicForm)
________________________________________
= Request - Entry #1 by Anonymous User on Dec 7, 2001 11:52 am

trying to make a simpler version of this i witnessed ChrisM's security stomping on each other.  This works just fine in Zope2.4.x but raised Unauhtorized Excpetion (at the tail of this report)

You need to download Formulator, and create a ScriptAllow Product in its __init__.py add
from Products.PythonScripts.Utility import allow_module, allow_class
allow_module('Products')
allow_module('Products.Formulator')
allow_module('Products.Formulator.Form')
from Products.Formulator.StandardFields import StringField
from Products.Formulator.Form import FormValidationError, BasicForm
allow_class(StringField)
allow_class(FormValidationError)
allow_class(BasicForm)

in the a Script(Python), process_form (parameters: REQUEST)

from Products.Formulator.Form import FormValidationError
from Products.Formulator.Form import BasicForm
from Products.Formulator import StandardFields
errors={} #mapping containing errors (keys), messages (values)
foo=StandardFields.StringField('foo', title='foo', required=1, display_width=20, max_length=20)
f=BasicForm()
f.add_fields( (foo,) )
#result=f.validate_all(context.REQUEST)
try:
    result=f.validate_all(context.REQUEST)
except FormValidationError, e:
    for error in e.errors:
        errors[error.field.get_value('title')]=error.error_text
    REQUEST.set('errors', errors)
    return context.testValidator(context, context.REQUEST)
return 'all fields valid'


#--- traceback garnsihed
Error Type: Unauthorized
Error Value: You are not allowed to access Formulator in this context

Traceback (innermost last):
  File E:\zope25b2\lib\python\ZPublisher\Publish.py, line 151, in publish_module
  File E:\zope25b2\lib\python\ZPublisher\Publish.py, line 115, in publish
  File E:\zope25b2\lib\python\Zope\__init__.py, line 158, in zpublisher_exception_hook
    (Object: simpleValidator)
  File E:\zope25b2\lib\python\ZPublisher\Publish.py, line 99, in publish
  File E:\zope25b2\lib\python\ZPublisher\mapply.py, line 88, in mapply
    (Object: process_form)
  File E:\zope25b2\lib\python\ZPublisher\Publish.py, line 40, in call_object
    (Object: process_form)
  File E:\zope25b2\lib\python\Shared\DC\Scripts\Bindings.py, line 252, in __call__
    (Object: process_form)
  File E:\zope25b2\lib\python\Shared\DC\Scripts\Bindings.py, line 283, in _bindAndExec
    (Object: process_form)
  File E:\zope25b2\lib\python\Products\PythonScripts\PythonScript.py, line 291, in _exec
    (Object: process_form)
    (Info: ({'script': <PythonScript instance at 02438FB8>, 'context': <Folder instance at 01A390E8>, 'container': <Folder instance at 01A390E8>, 'traverse_subpath': []}, (), {}, None))
  File Script (Python), line 1, in process_form
    (Object: guard)
  File E:\zope25b2\lib\python\AccessControl\ZopeGuards.py, line 131, in guarded_import
  File E:\zope25b2\lib\python\AccessControl\ZopeGuards.py, line 170, in load_module
    (Object: Products)
  File E:\zope25b2\lib\python\AccessControl\SecurityManager.py, line 83, in validate
  File E:\zope25b2\lib\python\AccessControl\ZopeSecurityPolicy.py, line 145, in validate
Unauthorized: (see above)

==============================================================