[Zope] Zope security and session object

Chris McDonough chrism at plope.com
Tue Jun 8 20:29:07 EDT 2004


David,

This appears to be just "normal" Zope security doing its job.  Instances
of classes which aren't decorated by security declarations cannot be
accessed.

There are ways around this.  See the Zope Developer's Guide security
chapter for more details.

On Tue, 2004-06-08 at 19:56, davidnwd at bellsouth.net wrote:
> Hi,
> 
> I've got an external method that calls a SOAP transaction. It 
> returns an array object with an imbedded array. In a folder along 
> with my index_html I've got this code:
> 
> REQUEST=context.REQUEST
> 
> # process the search criteria
> results = context.search(REQUEST)   ## the SOAP call
> 
> # put results in session
> session=REQUEST.SESSION
> session['results']=results
> 
> # display the results
> state.setNextAction('redirect_to:string:search_results')
> 
> # Always make sure to return the ControllerState object
> return state
> 
> Now, in search_results this:
> 
> <table border="1" width="100%" 
> tal:condition="request/SESSION/results | nothing">
>   <tr>
>     <th>DOC Nbr</th>
>     <th>First</th>
>     <th>Middle</th>
>     <th>Last</th>
>     <th>Gender</th>
>     <th>Age</th>
>     <th>Race</th>
>     <th>Status</th>
>   </tr>
>   <tr tal:repeat="item request/SESSION/results">
>     <td tal:content="item/DOCNbr">DOCNbr</td>
>     <td tal:condition="item/firstName|nothing" 
> tal:content="item/firstName">First</td>
>     <td tal:condition="item/middleName|nothing" 
> tal:content="item/firstName">Middle</td>
>     <td tal:condition="item/gender|nothing" 
> tal:content="item/gender">Gender</td>
>     <td tal:condition="item/age|nothing" 
> tal:content="item/age">Age</td>
>     <td tal:condition="item/race|nothing" 
> tal:content="item/race">Race</td>
>     <td tal:condition="item/status|nothing" 
> tal:content="item/status">Status</td>
>   </tr>
> </table>
> 
> And, of course, it's unauthorized (@*#@*#! Zope!) Here's the output 
> from VerboseSecurity:
> 
> The container has no security assertions. Access to 'DOCNbr' of 
> (SOAPpy.Types.structType multiRef at 51949776): 
> {'status': 'INACTIVE', 'DOCNbr': 139200L, 'isDCC': 0, 'isDOP': 
> 1, 'firstName': 'RANDALL', 'middleName': '', 'gender': 'MALE', 'age':
>  30L, 'hasDCC': 1, 'race': 'WHITE', 'lastName': 'ADDIS'} denied. 
> 
> No matter what I do, I can't get to anything inside my array. What 
> do I do???
> 
> TIA
> 
> David
> Atlanta
> 
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )




More information about the Zope mailing list