[Zope] ZPT can't read protected info retrieved by authorized script

Toni Vicens toni_vicens at terra.es
Thu Jul 22 04:24:54 EDT 2004


Hi,

I'm new to Zope development and I'm quite stuck with the following
problem:

I'm building a website with Zope, postgresql and exUserFolder. 
One of the tables of the postgresql DB stores addresses from different
website users.

I have built a ZSQL method which retrieves users addresses from that
table taking the user identifier as the input variable.

The thing is that I would like to assure that each user can only read
his own addresses.

To accomplish this I have done the following:
I have put the ZSQL method in a folder (sql/restricted) where only
owners and managers have “access content information” and “view”
permissions (my users have member roles).

Then I have written a python script with “owner” proxy role with the
following code:

request = container.REQUEST
user = request.AUTHENTICATED_USER
regs = container.sql.restricted.my_zsql_method(user_id=user.getUserId())

The problem is that when I call this method from a Page Template I get
the following error:
Unauthorized: You are not allowed to access 'attribute1' in this
context.

Finally I wrote an external method with the following code:

user = REQUEST.AUTHENTICATED_USER
addresses = self.sql.restricted.my_zsql_method(user_id=user.getUserId())
cp_addresses = []
for address in addresses:
    address_dict = {}
    for key in addresses._schema.keys():
        address_dict[key]=address_dict [key]
    cp_addresses.append(address_dict)
return cp_addresses

and this works. 
But there MUST be an easier and more efficient way of doing it!!!

Does someone know what I'm missing?

Thanks a lot,
Toni.



More information about the Zope mailing list