[Zope] Security?

Goldthwaite, Joe joe at goldthwaites.com
Tue Dec 2 13:07:29 EST 2003


Hi Dylan,

I know I'm doing the same thing but it's something I really want to do.  I
guess I could return the list of tuples but wouldn't I then have to refer to
the fields by number instead of name?  That seems like a step backwards.
I've got this nice object with named attributes and I shouldn't have to
throw that out for security.   I tend to be a purest and have always tried
to keep efficiency in mind when writing applications.  I really have to get
past that.  When I think about all the overhead a web application has to go
through to do the same job as my old green screen application, I shiver.

By the way, that return line was slick.  I didn't know Python could convert
a item into a list in a single line like that.  You learn something new
every day.

Thanks again

-----Original Message-----
From: Dylan Reinhardt [mailto:zope at dylanreinhardt.com]
Sent: Monday, December 01, 2003 4:15 PM
To: joe at goldthwaites.com
Cc: Zope Users
Subject: RE: [Zope] Security?


On Mon, 2003-12-01 at 14:24, Goldthwaite, Joe wrote:
> Well, it didn't work.  As soon as I tried to create a loop and access the
> .desc property of the ISLine objects, I got this message;
>
> Error Type: Unauthorized
> Error Value: You are not allowed to access desc in this context

You're doing the same thing again... using custom objects in a
restricted environment.

Do *all* the heavy lifting in your external method... IMO, templates
shouldn't have to do practically any logic at all.  It's usually pretty
easy to do this in Python, often just something like:

---
return [(item['id'], item['desc']) for item in item_list]
---

Then all your template has to do is iterate over a list of tuples.

HTH,

Dylan




More information about the Zope mailing list