[Zope] manage_addProperty [basic] syntax question
Dieter Maurer
dieter@handshake.de
Tue, 17 Apr 2001 21:22:06 +0200 (CEST)
Jason Cunliffe writes:
> From: "Dieter Maurer" <dieter@handshake.de>
> > Jason Cunliffe writes:
> > > I have searched, and I know its really simple, but please can anyone
> tell me
> > > how to take a working URL like this:
> > >
> > > http://Zsite231/images/manage_addProduct/Photo/PhotoAdd_version2
> >
> > Whenever you have a path (absolute, server local),
> > you can use "restrictedTraverse" to resolve it into an
> > object (under the condition of sufficient permissions).
>
> Thanks
> ....... so I tried this:
>
> <dtml-var
> "restrictedTraverse('/images/manage_addProduct/Photo/PhotoAdd_jason').absolu
> te_url()">
>
> following a syntax example from a post at
> http://lists.zope.org/pipermail/zope/2000-September/117834.html
>
> I imagine that you will not be surprised to learn that I keep getting a
> Network Password dialog box popping up...
I looked at the source in "OFS.Traversable" and determined,
that "restrictedTraverse" validates access to each intermediate
step. "REQUEST.resolve_url" on the other hand validates only
the last step (I think, did not check).
Your traceback suggests that you do not have access to "Photo".
I cannot tell you, why. With the help of my DocFinder product
URL:http://www.dieter.handshake.de/pyprojects/zope/DocFinder.html
I verified that my products allow access to "Anonymous" and
"Manager". Nevertheless, "restrictedTraverse" raises an
"Unauthorized". Maybe a bug in "getSecurityManager().validate"
or something with respect to acquisition or Zope permissions,
we do not yet understand.
Your options:
* use "unrestrictedTraverse" (not directly allowed from DTML or
Python script)
* use "REQUEST.resolve_url"
* find the reason, why Zope security does not work as we
expect - maybe file a bug report.
Currently, I have not enough time to analyse the problem fully.
Dieter