[Zope-dev] DTML Documents/Folders in ZClasses fail to access anything

Itai Tavor itai@optusnet.com.au
Thu, 22 Feb 2001 10:05:20 +1100 

Steve Alexander wrote:

>Itai Tavor wrote:
>
>>Hi,
>>
>>I got a ZClass 'Test', with a DTML Method 'view' containing 
>><dtml-var id>, and a DTML Document 'view2' with the same line. 
>>instance/view works. instance/view2 returns (ZDebug output):
>
>From SimpleItem.py:
>
>"""Direct use of the 'id' attribute is deprecated - use getId()"""
>
>The difference you're seeing is because the DTML Method is acquiring the
>id attribute, whereas you're getting the DTML Document's own id
>attribute.

Thanks, but it's got nothing to do with getId... I just used id 
because it's easy to write. I get the same behavior if I try to view 
meta_type, or a property that is defined on a propertysheet in the 
ZClass. And the fact that the DTML Document uses its own attributes 
shouldn't cause Unauthorized, should it? It should just show a 
different attribute, or acquire the attribute if it doesn't have it.

I just tried it again with a clean install of Zope 2.3.0. In a DTML 
Document, this works (name is a property in the ZClass propertysheet):

<dtml-with "PARENTS[0]">
   <dtml-var name>
   <dtml-var meta_type>
</dtml-with>

But these fail with Unauthorized: <dtml-var name>, <dtml-var 
meta_type>. The <dtml-var title_or_id> in standard_html_header fails 
as well.

I also repeated the folder test: In a DTML Method stored inside a 
folder in the ZClass, <dtml-var name> works, but <dtml-var 
title_or_id> fails.

So what do we have? I can't use title_or_id on DTML Documents, so 
it's useless for use in standard_html_header (and title_or_id uses 
getId, so it should work). I can't access ZClass properties from the 
DTML Document unless I use dtml-with - meaning no acquisition. And I 
can't access properties of the DTML Document (like meta_type) unless 
they are accessed using a method call (like getId()). This can't be 
right.

I find it hard to believe that if this is really a bug, it didn't 
bother anybody else until now. On the other hand, these tests seem to 
show a problem with security checks on objects in ZClasses that 
create their own context. So what am I still missing here?

Itai
-- 
--
Itai Tavor                      -- "Je sautille, donc je suis."    --
itai@optusnet.com.au            --               - Kermit the Frog --
--                                                                 --
-- "If you haven't got your health, you haven't got anything"      --