[Zope] You are not allowed to access 'a particular str' in this
context
Dieter Maurer
dieter at handshake.de
Sat Jan 26 15:03:12 EST 2008
Garito wrote at 2008-1-26 13:37 +0100:
>I don't understand quite well this explanation but it interest me a lot (as
>you can read if you search for my all questions about __bobo_traverse__)
>do it need I put the __allow_access_to_unprotected_subobjects__=1 in the
>__bobo_traverse__ or in other place?
The Zope weakness becomes obvious when "__bobo_traverse__"
returns an object without security declarations.
To work around this weakness you have to ensure that
"__bobo_traverse__" returns an object
with security declarations (in fact, it need to be public).
This means, you must set the security declarations on the
object returned by "__bobo_traverse__".
> ...
>2008/1/25, Dieter Maurer <dieter at handshake.de>:
>>
>> Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
>> >Dieter Maurer schrieb:
>> > ...
>> >> I expect that the "message" object implements a "__bobo_traverse__"
>> >> method (or gets one through "Five").
>> >> Zope is a bit stupid when "__bobo_traverse__" returns an object
>> >> without security declarations -- such as e.g. a string.
>> >> In this case, it insists that "getattr" must return the same object
>> >> and raise "Unauthorized" otherwise.
>> >
>> >Time 2008/01/25 12:01:53.125 GMT+1
>> >User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
>> >Request URL
>> http://devportal:6080/portal_communications/manage_messagequeue
>> >Exception Type Unauthorized
>> >Exception Value You are not allowed to access 'a particular str'
>> in
>> >this context
>> > ...
>> > - __traceback_info__: message
>> > Module Products.PageTemplates.Expressions, line 338, in
>> restrictedTraverse
>> > - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack':
>> []}
>> >Unauthorized: You are not allowed to access 'a particular str' in this
>> >context
>>
>> This may be compatible with my assumption.
>>
>> Check line 338 in "Products/PageTemplates/Expressions.py".
>> When this line is in the block handling the "__bobo_traverse__",
>> then you have confirmed my assumption.
>>
>>
>> In this case, you must either get rid of the message's "__bobo_traverse__"
>> or let it return an object with security declarations (such
>> as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1"
>> and "__roles__=None") or ensure that a "getattr" results in the same
>> str or fix Zope.
--
Dieter
More information about the Zope
mailing list