[Zope] Probably Zope Bug (was: Re: [Zope] all DTML Methods of current folder and subfolder)
Dieter Maurer
dieter@handshake.de
Wed, 26 Jul 2000 00:13:07 +0200 (CEST)
Jerome Alet writes:
> Thanks to you, the syntax you gave me is accepted by the dtml parser, but
> both
>
> <dtml-in "ZopeFind(this(), obj_metatypes=['Folder'],
> obj_expr='''not objectValues(['Folder'])''',
> search_sub=1)">
>
> and
>
> <dtml-in "ZopeFind(this(), obj_metatypes=['Folder'],
> obj_expr='not objectValues([\'Folder\'])',
> search_sub=1)">
>
> have given me an empty list.
I analysed this strange behavior in Zope 2.1.6
and have a partial explanation.
Although the permission setting for "objectValues"
is "Access contents information" which by default
is granted to "Anonymous" and "Manager",
only "Manager" is allowed to access "objectValues"
in the context of the above "ZopeFind".
I could not yet determine, why this is the case.
But taken this fact for granted, the behavior
becomes clear: the access to "objectValues" results
in an "Unauthorized" exception. This
is catched but prevents any object from being
added to the result list.
Workaround:
you need to add the REQUEST parameter to "ZopeFind".
i.e.:
<dtml-in "ZopeFind(this(), obj_metatypes=['Folder'],
obj_expr='not objectValues([\'Folder\'])',
search_sub=1, REQUEST=REQUEST)">
This allows ZopeFind to use AUTHENTICATED_USER for
validation of the "objectValue" access.
The code will then work at least for the manager.
Hopefully (not tested) a manager proxy role will
make it work for arbitrary users, too.
I will investigate further, why "this().objectValues__roles__"
returns "('Manager',)" rather than "('Anonymous','Manager')".
However, this can take quite some time because I am
currently a bit stressed.
Dieter