[Zope-dev] [Problem] Zope/Python2.x incompatibility
Dieter Maurer
dieter@handshake.de
Sun, 1 Jul 2001 16:15:40 +0200 (CEST)
Dear Zopistas,
I just met the following problem caused by a misfortunate name
clash between Python2.x and Zope:
DTML-Document:
<dtml-var standard_html_header>
<h2><dtml-var title_or_id></h2>
<table cellpadding=5>
<dtml-in propertyIds>
<dtml-let p=sequence-item>
<tr><th>&dtml-p;</th><td><dtml-var "_[p]"></td></tr>
</dtml-let>
</dtml-in>
<dtml-var standard_html_footer>
When this document is rendered, Shane's wonderful ZDebug tool reports:
Error type: Unauthorized
Error value: Access denied for <built-in method title of string object at 0x8d45e50> because
its container, 'title', has no security assertions.
Innermost method: /Test/wt/Target
Namespace Stack (innermost entry at top)
ID Type
(N/A) mapping with keys: ['p']
? InstanceDict
? DocumentTemplate.DT_InSV.sequence_variables
(N/A) mapping with keys: ['propertyIds']
(N/A) mapping with keys: ['document_id', 'document_title']
Target InstanceDict
Target InstanceDict
REQUEST ZPublisher.HTTPRequest.HTTPRequest
.... problem in "_[p]".
What happens here?
"dtml-in" pushes the property id "title" (a string) onto the namespace
stack. It is the next-to top "InstanceDict" entry.
Starting with Python 2.0 (maybe 1.6), string objects have
methods, among them "title".
When "title" is looked up in the namespace, the "title" of
the string object is found and not the one of the DTML Document.
This wrong "title" method gives an "Unauthorized" exception because
string objects do not participate in Zope's security mechanism.
Danger
Any string object on the namespace can prevent access to
the "title" property. Propably only "dtml-in" and
(if used wrongly) "dtml-with" are affected.
Thank you Shane for the wonderfull "ZDebug".
Without it, it would have been much more difficult to analyse
this problem.
Dieter