[Zope] ObjectManager FTPlist - acquisition issues

Chris Price cprice@orbik.com
28 Nov 2001 17:51:17 -0600


I don't know if this the right place to ask these questions... I
somewhat think that this belongs more in the zope-dev list but I'm
hesitant to post there since I'm not officially a developer of Zope.

There is a problem in the manage_FTPlist method of ObjectManager.
I found a patch (written by Deiter Maurer and available at:
http://www.dieter.handshake.de/pyprojects/zope/#bct_sec_5 ) that might 
fix this issue, but I'm uncertain as to the status of this patch.

I'm not expecting anyone to solve this for me right away, but I would
like to know what the right forum is to discuss this, who is the
maintainer of this code, how to monitor the status of it, etc.  I would
also like to know what the status of Deiter's patch is; is it scheduled
for inclusion in a future release of zope?  Is it a potential security
hole?  If there is some place that I can go to find this information,
could someone please let me know where?

Here is a more detailed explanation of the problem:

There is a bit of code in ObjectManager.py where it checks to see if an
object is acquired:

ob=self
while 1:
	if App.Common.is_acquired(ob):
		raise ValueError('FTP List not supported on acquired objects')
	if not hasattr(ob,'aq_parent'):
		break
	ob=ob.aq_parent

Now I'm not completely familiar with the inner workings of zope, so I'm
not sure I understand how this is supposed to work.  What I do know is
that a ZClass that is nested inside another ZClass in the Products
folder will cause problems with this bit of code.

If you FTP into your ZServer and do:

cd Control_Panel/Products/SomeProduct/SomeZClass/propertysheets/methods
cd NestedZClass/propertysheets
cd methods

then the "ValueError" above will be raised.  The while loop runs 3
times, with 'ob' being set to the following three objects:

<ZClassMethodsSheet instance at 8942708>
<bar_ZPropertySheetsClass instance at 88e3a58>
<ZClass instance at 886c320>

The ZClass instance then passes the 'is_acquired' test, the ValueError
is raised, and the FTP server says 'No such directory'.

So is the acquisition check just overkill?  If it is removed, will that
solve the problem?  Or is the problem actually related to the fact that
the <ZClass instance> passes the 'is_acquired' test when it should not?

My apologies for getting so deep into this issue on the list here, but I
just don't know where else to address my questions to.  This problem is
crippling FTP access to my development tree, and that is a critical
factor in whether or not my company chooses to use Zope or not, so I
would really like to get to the root of this problem.

thanks for any info you can provide!
chris price