[Zope] Re: external method problems...

Jeffrey Hood jhood@hmcon.com
Fri, 27 Jun 2003 16:46:03 -0400 

Dieter Maurer wrote:

> Jeffrey Hood wrote at 2003-6-26 17:32 -0400:
>  > I have an external method (which makes a SOAP call) which when running
>  > the
>  > test on, works and returns data as expected...  however, with the
>  > following tal code:
>  > ...
>  >     <table border="1" tal:define="data
>  >     python:here.getRecords()['item']"> <tr tal:repeat="record data">
>  >         <td tal:content="python:record[0]">record item 1</td>
>  > ...
>  > I am getting a basic authentication box... which I don't want... and
>  > additionally, no matter if I type in a valid superuser login and
>  > password, the box just keeps coming up...
> 
> What type of object is "record"?
> What type is "record[i]"?
> Either one seems to be an instance without security declarations.

getRecords() returns:
{u'item': [['1', 'Fido', '5.00'], ['2', 'Spot', '10.00'], ['4', 'Sparky',
'24'], ['9', 'Buffy', '10'], ['10', 'Bobby', '50']]}

(BTW, I'm a beginner with Python/Zope, so forgive me if I don't get the
terminology correct...)

I've been told that that is a dictionary...

> Convert the "record" into a dictionary (in your External Method) or
> give "record[i]" the necessary security declarations (see
> Zope Developer Guide, for details).

If it is a dictionary, is it outside the need for security declarations?

I've looked at the Guide, and don't really understand how to set permissions
on a return value...

> 
>  >  I'm guessing that there is some kind of
>  > permission problem, although I don't know why calling it via the url
>  > anonymously (http://...../getRecords) returns the same as the test... 
>  > is there something that I am missing in tal to call the external method
>  > that requires setting some permissions ?
> 
> You may have encountered a security bug!
> 
>   ZPublisher (more precisely "BaseResponse") converts the result
>   into a string (calling "str"). This is done from unrestricted
>   code. It may reveal information which is not available from
>   restricted code (as your TAL).
> 
> Please file a bug report.

Is there any way around this problem (time is somewhat of an issue...) and
is there any thing that I can return differently that would help... the
external method is simply calling a webservice via SOAP, and the "default"
that it is returning is the dictionary...

Thanks for all of the help...

JH