[Zope-dev] Proxy not Propagating - could be FSDTMLMethod

alan runyan runyaga@thisbox.com
Mon, 2 Jul 2001 17:00:23 -0500


this is in the context of CMF, but its a ZOPE Security issue.  I have a
Script (Python), createJobPosting which is:

from DateTime import DateTime
path = ('', 'virtual_hosts', 'thecommode', 'Members', 'PUBLIC')

PUBLIC = context.restrictedTraverse(path)
id = str(DateTime().millis())
PUBLIC.invokeFactory(type_name='Job Posting', id=id)
obj = getattr(PUBLIC,id)
view = getattr(obj,'job_edit_form')

return obj.getEditView()

that is Proxied as Manager/Member/Reviewer.    it creates a object just fine
(in Members/PUBLIC) so then the script then calls obj.getEditView()  which
is:

    security.declarePublic('getEditView')
    def getEditView(self):
        skins = getToolByName(self, 'portal_skins')
        if hasattr(skins, 'job_edit_form'):
            self.editView = getattr(skins, 'job_edit_form')
        return self.editView(self, self.REQUEST) # i assume this gets a new
security context? when its being 'published', how can i proxy this as
Manager/Member/Reviewer?

I need to render the job_edit_form (filesystem DTML Method)  in the same
Security Proxy context (as Manager/Member/Reviewer), but upon its publishing
it encounters as _.hasattr(this(), 'myAttribute') and says I dont have
access to this().

Zope2.3.3, CMF1.1, Linux, Python 1.52

Traceback (innermost last):
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/ZPublisher/Publish.p
y, line 223, in publish_module
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/ZPublisher/Publish.p
y, line 187, in publish
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/ZPublisher/Publish.p
y, line 171, in publish
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/ZPublisher/mapply.py
, line 160, in mapply
    (Object: createJobPosting)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/ZPublisher/Publish.p
y, line 112, in call_object
    (Object: createJobPosting)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/Shared/DC/Scripts/Bi
ndings.py, line 324, in __call__
    (Object: createJobPosting)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/Shared/DC/Scripts/Bi
ndings.py, line 354, in _bindAndExec
    (Object: createJobPosting)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/Products/PythonScrip
ts/PythonScript.py, line 336, in _exec
    (Object: createJobPosting)
    (Info: ({'script': <PythonScript instance at 8896da8>, 'context':
<CMFSite instance at 884bad0>, 'container': <CMFSite instance at 884bad0>,
'traverse_subpath': []}, (), {}, None))
  File Script (Python), line 11, in createJobPosting
    (Object: DateTime)
  File
/home/zope/ZopeInstallation/InstanceHome/Products/CMFEmployment/JobPosting.p
y, line 255, in getEditView
    (Object: DynamicType)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/Products/CMFCore/FSD
TMLMethod.py, line 180, in __call__
    (Object: job_edit_form)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/DocumentTemplate/DT_
String.py, line 540, in __call__
    (Object: job_edit_form)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/Products/CMFCore/FSD
TMLMethod.py, line 175, in __call__
    (Object: standard_html_header)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/DocumentTemplate/DT_
String.py, line 540, in __call__
    (Object: standard_html_header)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/DocumentTemplate/DT_
Util.py, line 333, in eval
    (Object: _.hasattr(this(),'isEffective') and not
isEffective(ZopeTime() ))
    (Info: this)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/Products/CMFCore/FSD
TMLMethod.py, line 198, in validate (Object: job_edit_form)
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/AccessControl/Securi
tyManager.py, line 144, in validate
  File
/home/zope/ZopeInstallation/ZopeSoftwareHome/lib/python/AccessControl/ZopeSe
curityPolicy.py, line 225, in validate
Unauthorized: (see above)

I think quite a few people could run into this, when trying to Proxy content
manipulation to non-logged into user, i.e. allowing people who are not
logged into submitContent (but proxying them off as if they were a logged in
Member -- in this case PUBLIC) .. I am going about this the correct way, I
believe.  ?

I also tried to 'customize' the FSDTMLMethod and proxy it as
Manager/Reviewer/Member and it still gives me the same error ;'(

thanks,
~runyaga