[Zope] String to object ID

Art Hampton arth@pacsg.css.mot.com
Wed, 08 Dec 1999 08:58:08 -0600 

I'm trying to use Evan's DTML Method "FetchObj" (quoted below).  It
works great for retrieving an object if I'm guaranteed to have
permissions for it.

If I don't have permission, and try to detect that ahead of time so that
I can skip or otherwise note the permission problem, I'm trying the
following:

<dtml-if "AUTHENTICATED_USER.has_permission('View',
_.render(fetchObj(_.None, _, fetchStr=category_path)))">

note that 'View' probably needs to be 'Access contents information', but
I wasn't sure if 'Access contents information' was how I was supposed to
write the permission parameter, and I saw 'View' used in a How-To. 
Thought I'd get the syntax right, then work on whether or not the
permission category was right....

In this snippet, category_path is the path of the folder for which I may
not have permissions.  Unfortunately, the act of calling FetchObj seems
to invoke security:


Zope Error

  Zope has encountered an error while publishing this resource. 

  Unauthorized

  You are not authorized to access NewsCategory2. 

  Traceback (innermost last):
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/ZPublisher/Publish.py, line
214, in publish_module
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/ZPublisher/Publish.py, line
179, in publish
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/ZPublisher/Publish.py, line
165, in publish
    File /usr/local/zope/Zope-2.1.0-src/lib/python/ZPublisher/mapply.py,
line 160, in mapply
      (Object: index_html)
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/ZPublisher/Publish.py, line
102, in call_object
      (Object: index_html)
    File /usr/local/zope/Zope-2.1.0-src/lib/python/OFS/DTMLMethod.py,
line 145, in __call__
      (Object: index_html)
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_String.py,
line 502, in __call__
      (Object: index_html)
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_Let.py,
line 145, in render
      (Object: idlist=GetUserSelectedNewsCategories)
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_In.py,
line 691, in renderwob
      (Object: NewsCatalog.searchResults(category_id=idlist))
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_Let.py,
line 145, in render
      (Object: newsitem_path="NewsCatalog.getpath(data_record_id_)"
category_path="''" category_path_list="_.string.split(newsitem_path,
'/')")
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_Let.py,
line 145, in render
      (Object: category_path="_.string.join(category_path_list, '/')")
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_Util.py,
line 335, in eval
      (Object: AUTHENTICATED_USER.has_permission('View',
_.render(fetchObj(_.None, _, fetchStr=category_path))))
      (Info: category_path)
    File <string>, line 0, in ?
    File /usr/local/zope/Zope-2.1.0-src/lib/python/OFS/DTMLMethod.py,
line 141, in __call__
      (Object: fetchObj)
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_String.py,
line 502, in __call__
      (Object: fetchObj)
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_Let.py,
line 145, in render
      (Object: obj="[_]")
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_In.py,
line 691, in renderwob
      (Object: _.string.split(fetchStr, '/'))
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_Util.py,
line 335, in eval
      (Object: obj.append(obj.pop()[_['sequence-item']]))
      (Info: obj)
    File <string>, line 0, in ?
    File
/usr/local/zope/Zope-2.1.0-src/lib/python/DocumentTemplate/DT_Util.py,
line 166, in careful_getitem
  Unauthorized: (see above)


Does anyone have any suggestions?

Otherwise I'll have to go back to my original strategy of placing all of
my news category security info in MySQL, and secure the querries using
DTML method proxy rights.  I was hoping to go with ZCatalog Aware
objects in folders, so I could take advantage of the built in Zope
security model and ZCatalog awareness/ZCatalog searches.

Thanks in advance for any pointers.


Evan Simpson wrote:
> 
> I missed some of the prior discussion, so I hope this isn't irrelevent.
> 
> Are you trying to access an object given a string such as 'hie/dee/hoe'?  If
> so, try this:
> 
> DTML Method FetchObj:
> <dtml-let obj="[_]">
>   <dtml-in expr="_.string.split(fetchStr, '/')">
>     <dtml-call expr="obj.append(obj.pop()[_['sequence-item']])">
>   </dtml-in>
>   <dtml-return expr="obj[0]">
> </dtml-let>
> 
> example call:  <dtml-var expr="_.render(FetchObj(_.None, _,
> fetchStr='hie/dee/hoe').id)">
> 
> Some notes about the above:
> o We start with a list containing the global namespace object.
> o For each path element, we pop the current object, find the sub-object, and
> put it back in the list.
> o You could use REQUEST.set instead of the list foolery if you wanted to.
> o _.render is necessary since the .id of folders is a string, while that of
> methods is a method :-P
> 
> If you use PythonMethods, the above can be more simply written as:
> 
> PythonMethod FetchObj:
> <params>_, fetchStr, attr=None</params>
> obj = _
> for p in string.split(fetchStr, '/'):
>   obj = obj[p]
> if attr is None:
>   return obj
> else:
>   return render(_.getattr(obj, attr))
> 
> <dtml-var expr="FetchObj(_, 'hie/dee/hoe', 'id')">