[Zope-dev] acquisition, traversal, __roles__(, and zpt?)

[Gary Poster]

Hi everyone.

OK.  I'm stumped.  I'm doing funky tricks here to create an alias
functionality somewhat similar to a transparent folder.  In the belief that
brevity begets more possibility for answers, I won't tell you more, but just
get straight to the chase:

Zope 2.5, CMF 1.2 (but I'm using the dev list rather than the ptk or zpt
lists because it has to do with internals more, I think)

During traversal, I have (intentionally) created an acquisition chain like
this:

<pageTemplate> <OBJECT X> <CMF root> <Zope root> <request>

in which <OBJECT X> is an "alien" object inserted after the CMF root.  By
alien I mean it is not an actual child of the CMF root, nor the actual
parent of the pageTemplate.  The pageTemplate itself is arbitrarily stored
*outside* of the CMF, and also inserted during traversal.  <OBJECT X> was
unwrapped (aq_base) and then wrapped __of__(<CMF root>), and the
pageTemplate also unwrapped and then wrapped __of__(<OBJECT X>).

Everything seems mostly fine with this with basic DTML stuff, even so far as
the DTML using CMF skins.  However, ZPT pages give me security errors if I
try to use a skin.

I have traced this down, through the
Products.PageTemplates.Expressions.RestrictedTraverse function, through
security validation, to the fact that if the page template asks for an
object like "nocall here/portal_url", and then traverses to get the
portal_url, the portal_url is found but has no __roles__.

__roles__ appear to be deep magic (AccessControl.PermissionRole).  I don't
quite understand how this property exists: I figure it must also have
functional elements in the C acquisition code somewhere (which I have not
worked through).

<OBJECT X> has both __allow_access_to_unprotected_subobjects__ and
security.declareObjectPublic().  I've tried not removing the "real" wrappers
of <OBJECT X> and the page template, to no avail.

Heh.  Any ideas?

Thanks

Crazy Gary