[ZCM] [ZC] 1034/ 6 Resolve "METAL-macros in xml mode raises Unauthorized"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Thu Oct 23 21:27:34 EDT 2003 

Issue #1034 Update (Resolve) "METAL-macros in xml mode raises Unauthorized"
 Status Resolved, Zope/bug medium
To followup, visit:
  http://zope.org/Collectors/Zope/1034

==============================================================
= Resolve - Entry #6 by mcdonc on Oct 23, 2003 9:27 pm

 Status: Pending => Resolved

This has been fixed on the trunk and on the 2.7 branch.
________________________________________
= Comment - Entry #5 by evan on Sep 22, 2003 10:47 am

More specifically, it looks like line 1914 of cAccessControl.c (at least) needs to use (PyString_Check(name) || PyUnicode_Check(name)) instead of plain PyString_Check(name) and convert the name to a non-unicode string if necessary, since Python does the same thing to attribute names.  All other usage of PyString_Check in cAccessControl.c, especially in validate(), needs to be checked.
________________________________________
= Comment - Entry #4 by evan on Sep 22, 2003 10:19 am

Something inside guarded_getattr is doing the Wrong Thing when the attribute name is Unicode.  Putting a ZPT into xml mode causes all strings, including path expressions, to become Unicode.
________________________________________
= Comment - Entry #3 by zild on Sep 19, 2003 2:26 am

This is almost certainly a general bug, not just in the METAL macros, but also in the TAL macros. I am unable to duplicate this on 2.6, but it does seem to happen in 2.7.0-b1 as well. The simplest test case is the following:

---

 1. Create a page template
 
 2. Use the text:
 
   <test xmlns:tal="http://xml.zope.org/namespaces/tal"              
               tal:replace="here/id"/>

 3. Set to content-type text/html -- it should work.

 4. Set to content-type text/xml -- you will get a security  
 violation.

-----

The resulting traceback is as follows:

2003-09-19T18:00:26 ERROR(200) SiteError http://localhost:8080/xwft/test/test_xml
Traceback (most recent call last):
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/ZPublisher/Publish.py", line 98, in publish
    request, bind=1)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/ZPublisher/mapply.py", line 88, in mapply
    if debug is not None: return debug(object,args,context)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/ZPublisher/Publish.py", line 39, in call_object
    result=apply(object,args) # Type s<cr> to step into published object.
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Shared/DC/Scripts/Bindings.py", line
252, in __call__
    return self._bindAndExec(args, kw, None)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Shared/DC/Scripts/Bindings.py", line
283, in _bindAndExec
    return self._exec(bound_data, args, kw)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Products/PageTemplates/ZopePageTemplate.py", line 220, in _exec
    result = self.pt_render(extra_context=bound_names)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Products/PageTemplates/PageTemplate.py", line 95, in pt_render
    tal=not source, strictinsert=0)()
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/TAL/TALInterpreter.py", line 189, in
__call__
    self.interpret(self.program)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/TAL/TALInterpreter.py", line 233, in
interpret
    handlers[opcode](self, args)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/TAL/TALInterpreter.py", line 477, in
do_insertText_tal
    text = self.engine.evaluateText(stuff[0])
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Products/PageTemplates/TALES.py", line 226, in evaluateText
    text = self.evaluate(expr)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Products/PageTemplates/TALES.py", line 220, in evaluate
    return expression(self)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Products/PageTemplates/Expressions.py", line 207, in __call__
    return self._eval(econtext)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Products/PageTemplates/Expressions.py", line 195, in _eval
    ob = self._subexprs[-1](econtext)
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Products/PageTemplates/Expressions.py", line 151, in _eval
    ob = restrictedTraverse(ob, path, getSecurityManager())
  File "/opt/xwft/Zope-2.7.0-b2/lib/python/Products/PageTemplates/Expressions.py", line 348, in restrictedTraverse
    o = guarded_getattr(object, name, M)
Unauthorized: You are not allowed to access 'id' in this context

________________________________________
= Comment - Entry #2 by waldi on Sep 2, 2003 8:43 am

also the content-type is not overwritten from the error page
________________________________________
= Request - Entry #1 by waldi on Sep 2, 2003 6:19 am

METAL-macros in xml mode always raises Unauthorized. the same excpetion occurs while saving a template which uses this macros with the option "Expand macros when editing" enabled. The logged in User have Manager rights in the root and is able to call each template seperately.

The same macros in html mode works.
==============================================================

More information about the Zope-Collector-Monitor mailing list