[Zope-dev] hmmm.. wierd permission issues with
getPersistentItemIDs()...
Steve Spicklemire
steve@spvi.com
Wed, 16 Aug 2000 06:19:07 -0500 (EST)
Hi Steve,
Thanks for the reply. Of course as soon as I reported this, I went
away for a couple days and I haven't been able to check the list.
It appears that the problem is that the BTreeItems object returned by
getPersistentObjectIDs isn't currently allowed as an argument of 'in'
by itself since it's not in the 'containerAssertions' dictionary
defined in SimpleObjectPolicies.py and it doesn't have the magic
property: '__allow_access_to_unprotected_subobjects__'. If you *sort*
the BTreeItems object however, the dtml-in tag makes a copy of the
items in the BTreeItems object as a simple List, and sorts that rather
than destructively attempting to sort the original. The simple list
is in containerAssertions, and is therefore allowed.
I was wrong about the
<dtml-var "defaultRack.getPersistentItemIDs()">
it's only
<dtml-in "defaultRack.getPersistentItemIDs()">
that seems to cause the problem.
The odd thing is that the method 'getPersistentObjectIDs' is correctly
included in the definition of __ac_permissions__ in Rack.py, but as
you point out, it returns a BTreeItems object that doesn't want to
play nice with <dtml-in... >. Once possible solution would be to add
an '__allow_access_to_unprotected_subobjects__' property to the
BTreeItems object. I'm not sure who should do that..... maybe Rack.py?
For now.. I'll just sort the ids. ;-)
thanks,
-steve
>>>>> "Steve" == Steve Alexander <steve@cat-box.net> writes:
Steve> Steve Spicklemire wrote:
>> Hi ZPatterns folks...
>>
>> ZPatterns-0.4.1snap1 Zope2.2.0-src
>>
>> I have a specialist with a defaultRack storing DataSkin
>> subclassed ZClass instances with only persistent attribute
>> providers.
>>
>> <dtml-var "defaultRack.getPersistentItemIDs()">
Steve> When I call that, I get <BTreeItems object at 869a5d8>. To
Steve> get that list of IDs, I use an external method:
Steve> def get_persistent_ids(self): try: items =
Steve> self.defaultRack.aq_base.getPersistentItemIDs() return
Steve> map(lambda x: x, items)
Steve> except: import sys, traceback, string etype, val, tb =
Steve> sys.exc_info()
Steve> sys.stderr.write(string.join(traceback.format_exception(etype,
Steve> val, tb),'')) del etype, val, tb
Steve> I've tried something like your code, with no sheetproviders
Steve> in the rack. I can't reproduce your error. I'm using the
Steve> method as a Manager.
>> or
>>
>> <dtml-in "defaultRack.getPersistentItemIDs()"> ... </dtml-in>
>>
>> raise AuthorizationFailed
>>
>> <dtml-in "defaultRack.getPersistentItemIDs()" sort> ...
>> </dtml-in>
>>
>> works fine. What did I do now? ;-)
Steve> Line 318, Rack.py. The method getPersistentItemIDs has no
Steve> docstring. Is that still significant under the new security
Steve> model?
Steve> Does the user you're running the method as have the
Steve> permission "Access contents information" ?
Steve> Looks like you may have uncovered a Zope security bug in
Steve> <dtml-in ...
sort> :-/
Steve> How could we test this further?
Steve> -- Steve Alexander Software Engineer Cat-Box limited
Steve> http://www.cat-box.net
Steve> _______________________________________________ Zope-Dev
Steve> maillist - Zope-Dev@zope.org
Steve> http://lists.zope.org/mailman/listinfo/zope-dev ** No cross
Steve> posts or HTML encoding! ** (Related lists -
Steve> http://lists.zope.org/mailman/listinfo/zope-announce
Steve> http://lists.zope.org/mailman/listinfo/zope )