[Zope3-checkins] SVN: Zope3/trunk/src/zope/app/ Fixed
http://collector.zope.org/Zope3-dev/269
Jim Fulton
jim at zope.com
Thu Sep 2 13:55:05 EDT 2004
Log message for revision 27422:
Fixed http://collector.zope.org/Zope3-dev/269
Changed:
U Zope3/trunk/src/zope/app/pagetemplate/configure.zcml
A Zope3/trunk/src/zope/app/zptpage/browser/collector269.txt
U Zope3/trunk/src/zope/app/zptpage/browser/ftests.py
-=-
Modified: Zope3/trunk/src/zope/app/pagetemplate/configure.zcml
===================================================================
--- Zope3/trunk/src/zope/app/pagetemplate/configure.zcml 2004-09-02 12:05:18 UTC (rev 27421)
+++ Zope3/trunk/src/zope/app/pagetemplate/configure.zcml 2004-09-02 17:55:05 UTC (rev 27422)
@@ -27,4 +27,27 @@
<allow interface="zope.tales.interfaces.ITALESIterator" />
</content>
+ <class class=".engine.ZopePathExpr">
+ <allow attributes="__call__" />
+ </class>
+ <class class=".engine.TrustedZopePathExpr">
+ <allow attributes="__call__" />
+ </class>
+ <class class=".engine.ZopePythonExpr">
+ <allow attributes="__call__" />
+ </class>
+ <class class=".engine.PythonExpr">
+ <allow attributes="__call__" />
+ </class>
+
+ <class class="zope.tales.expressions.StringExpr">
+ <allow attributes="__call__" />
+ </class>
+ <class class="zope.tales.expressions.NotExpr">
+ <allow attributes="__call__" />
+ </class>
+ <class class="zope.tales.expressions.DeferExpr">
+ <allow attributes="__call__" />
+ </class>
+
</configure>
Added: Zope3/trunk/src/zope/app/zptpage/browser/collector269.txt
===================================================================
--- Zope3/trunk/src/zope/app/zptpage/browser/collector269.txt 2004-09-02 12:05:18 UTC (rev 27421)
+++ Zope3/trunk/src/zope/app/zptpage/browser/collector269.txt 2004-09-02 17:55:05 UTC (rev 27422)
@@ -0,0 +1,137 @@
+http://collector.zope.org/Zope3-dev/269
+
+When you use TALES path expressions in a page template that is security proxied, you get ForbiddenAttribute errors for PathExpr methods. Other
+kinds of expressions are probably also affected.
+
+To see the error, apply the following diff to collector266.txt and run
+test.py zope.app.zptpage.browser (I'm too lazy to figure out how to
+demonstrate this problem manually in a web browser):
+
+Index: src/zope/app/zptpage/browser/collector266.txt
+===================================================================
+--- src/zope/app/zptpage/browser/collector266.txt (revision 27388)
++++ src/zope/app/zptpage/browser/collector266.txt (working copy)
+@@ -29,6 +29,7 @@
+ ... </div>
+ ... <div metal:define-macro="greet">
+ ... Hello <span metal:define-slot="name">world</span>
++ ... <p tal:condition="nothing">Optional text</p>
+ ... </div>
+ ... </html>
+ ... -----------------------------78336869011025200592044897763
+
+
+We create a page that defines a macro:
+
+ >>> print http(r"""
+ ... POST /+/zope.app.zptpage.ZPTPage%3D HTTP/1.1
+ ... Authorization: Basic bWdyOm1ncnB3
+ ... Content-Length: 835
+ ... Content-Type: multipart/form-data; boundary=---------------------------78336869011025200592044897763
+ ... Referer: http://localhost:8081/+/zope.app.zptpage.ZPTPage=
+ ...
+ ... -----------------------------78336869011025200592044897763
+ ... Content-Disposition: form-data; name="field.source"
+ ...
+ ... <html>
+ ... <div metal:define-macro="greet">
+ ... Hello <span metal:define-slot="name">world</span>
+ ... <p tal:condition="nothing">Optional text</p>
+ ... <div tal:define="data python:{'foo': 1, 'bar': {'x': 1, 'y': 0}};
+ ... later defer:container">
+ ... <p tal:content="data/bar/x" />
+ ... <p tal:condition="not: data/foo" />
+ ... <p tal:content="string: string expr" />
+ ... </div>
+ ... </div>
+ ... </html>
+ ... -----------------------------78336869011025200592044897763
+ ... Content-Disposition: form-data; name="field.expand.used"
+ ...
+ ...
+ ... -----------------------------78336869011025200592044897763
+ ... Content-Disposition: form-data; name="field.evaluateInlineCode.used"
+ ...
+ ...
+ ... -----------------------------78336869011025200592044897763
+ ... Content-Disposition: form-data; name="UPDATE_SUBMIT"
+ ...
+ ... Add
+ ... -----------------------------78336869011025200592044897763
+ ... Content-Disposition: form-data; name="add_input_name"
+ ...
+ ... macros
+ ... -----------------------------78336869011025200592044897763--
+ ... """)
+ HTTP/1.1 303 See Other
+ ...
+ Location: http://localhost/@@contents.html
+ ...
+
+
+Lets create a page that uses the macro:
+
+ >>> print http(r"""
+ ... POST /+/zope.app.zptpage.ZPTPage%3D HTTP/1.1
+ ... Authorization: Basic bWdyOm1ncnB3
+ ... Content-Length: 1771
+ ... Content-Type: multipart/form-data; boundary=---------------------------196751392613651805401540383426
+ ... Referer: http://localhost:8081/+/zope.app.zptpage.ZPTPage=
+ ...
+ ... -----------------------------196751392613651805401540383426
+ ... Content-Disposition: form-data; name="field.source"
+ ...
+ ... <html>
+ ... <body>
+ ... <div metal:use-macro="container/macros/macros/greet">
+ ... <span metal:fill-slot="name">bob</span>
+ ... </div>
+ ... </body>
+ ... </html>
+ ... -----------------------------196751392613651805401540383426
+ ... Content-Disposition: form-data; name="field.expand.used"
+ ...
+ ...
+ ... -----------------------------196751392613651805401540383426
+ ... Content-Disposition: form-data; name="field.evaluateInlineCode.used"
+ ...
+ ...
+ ... -----------------------------196751392613651805401540383426
+ ... Content-Disposition: form-data; name="UPDATE_SUBMIT"
+ ...
+ ... Add
+ ... -----------------------------196751392613651805401540383426
+ ... Content-Disposition: form-data; name="add_input_name"
+ ...
+ ... page
+ ... -----------------------------196751392613651805401540383426--
+ ... """)
+ HTTP/1.1 303 See Other
+ ...
+ Location: http://localhost/@@contents.html
+ ...
+
+And run it.
+
+ >>> print http(r"""
+ ... GET /page HTTP/1.1
+ ... Authorization: Basic bWdyOm1ncnB3
+ ... """, handle_errors=False)
+ HTTP/1.1 200 Ok
+ Content-Length: 119
+ Content-Type: text/html;charset=utf-8
+ <BLANKLINE>
+ <html>
+ <body>
+ <div>
+ Hello <span>bob</span>
+ <BLANKLINE>
+ <div>
+ <p>1</p>
+ <BLANKLINE>
+ <p> string expr</p>
+ </div>
+ </div>
+ </body>
+ </html>
+ <BLANKLINE>
Property changes on: Zope3/trunk/src/zope/app/zptpage/browser/collector269.txt
___________________________________________________________________
Name: svn:eol-style
+ native
Modified: Zope3/trunk/src/zope/app/zptpage/browser/ftests.py
===================================================================
--- Zope3/trunk/src/zope/app/zptpage/browser/ftests.py 2004-09-02 12:05:18 UTC (rev 27421)
+++ Zope3/trunk/src/zope/app/zptpage/browser/ftests.py 2004-09-02 17:55:05 UTC (rev 27422)
@@ -178,7 +178,7 @@
from zope.app.tests.functional import FunctionalDocFileSuite
return unittest.TestSuite((
unittest.makeSuite(ZPTPageTest),
- FunctionalDocFileSuite('collector266.txt'),
+ FunctionalDocFileSuite('collector266.txt', 'collector269.txt'),
))
if __name__ == '__main__':
More information about the Zope3-Checkins
mailing list