[Zope-dev] ZPatterns Project Help!

Phillip J. Eby pje@telecommunity.com
Wed, 22 Nov 2000 11:21:56 -0500


At 10:21 AM 11/22/00 -0500, bentzion@bellatlantic.net wrote:
>Thanks for answering Steve.
>
>Unfortunitly I am working with version 0.3 of ZPatterns so I have 
>to use GAP. 
>
>When I try to translate your Skinscript into GAP like this 
>"attrsexprs:account_object=(RESULT is _.None) and NOT_FOUND or 
>RESULT" and I try to access the object's id with <dtml-var 
>"account_object.id"> I get a "NameError" on account_object. 
>Alternativly if I do <dtml-var account_object> I get a "KeyError". 
>
>(BTW. for testing I used "accounts.getItem('1434')" which is a 
>valid object. If I do "account_object=RESULT.id" it works fine.)
>

Perhaps this is a security issue?  When you set account_object=RESULT.id,
then the account_object attribute is a string, and has no security
protection from access by DTML.  When it is an object, however, your DTML
must have permissions to the object itself.  I am not positive, but I think
ZPatterns 0.3 may have executed GAP expressions as the superuser, so it may
be that your GAP is able to access the object, but not the DTML which is
using the DataSkin.