[Zope-dev] another validation problem

[Michel Pelletier]

Robin Becker wrote:
> 
> The latest CVS version is giving autorization demands (and failures) with this DTMLmethod.
> This kind of construct used to work fine.
> 
> <dtml-var standard_html_header>
> <h2><dtml-var title_or_id> <dtml-var document_title></h2>
> <p>
> <dtml-with "_.namespace(SUB=[1,2])">
> <dtml-if "_.len(SUB)>0">non-empty<dtml-else>empty</dtml-if>
> </dtml-with>
> </p>
> <dtml-var standard_html_footer>

Perhaps newly created names in the _ namespace do not get understood by
the new security guts.

Does it work if you:

<dtml-with "_(SUB=[1,2])">
 ...
</dtml-with>

and call the namespace directly?  The two are supposed to be synonymous
but your method is depricated so perhaps it works the other way, if not,
I'd suggest putting this in the collector for us to fix before the next
release.


>              (Object: _.namespace(SUB=[1,2]))
>            File C:\Python\devel\Zope\lib\python\DocumentTemplate\DT_Util.py, line 327, in eval
>              (Object: _.len(SUB)>0)
>              (Info: SUB)
>            File C:\Python\devel\Zope\lib\python\OFS\DTMLMethod.py, line 184, in validate
>              (Object: xxx)
>            File C:\Python\devel\Zope\lib\python\AccessControl\SecurityManager.py, line 139, in validate
>            File C:\Python\devel\Zope\lib\python\AccessControl\ZopeSecurityPolicy.py, line 160, in validate
>          Unauthorized: SUB

-- 

-Michel Pelletier

http://www.zope.org/Members/michel/MyWiki

Visit WikiCentral for the latest Zen:

http://www.zope.org/Members/WikiCentral