[ZPT] ZPT + ParsedXML strangeness (acquisition vs. getattr)
Willem Broekema
willem@pastelhorn.com
Sun, 09 Dec 2001 23:53:07 +0100
Hi -- here's a strange behaviour using Page Templates and ParsedXML. I
already posted this in Zope-xml, without response so far.
The files (also in wilm.nl/test with u/p faassen:faassen):
--- xml : ParsedXML ---------------------------------------------
<?xml version="1.0" ?>
<doc>
<a>a elm 1</a>
</doc>
--- pt_een : ZPT -------------------------------------------------
<div tal:repeat="a python:here.xml[0].getElementsByTagName('a')">
<div tal:content="structure a/pt_twee">a/pt_twee</div>
</div>
--- pt_twee : ZPT ------------------------------------------------
something
------------------------------------------------------------------
Calling:
xml/pt_een
results in:
if I'm logged in as 'manager':
"something" # this is correct
if I'm not logged in:
"Error Type: TALESError
Error Value: exceptions.ValueError on invalid literal for int():
pt_twee in "<PathExpr standard:a/pt_twee>"
Now, creating a "Script (Python)" with proxy 'manager':
--- py : Script (Python) -----------------------------------------
return context.xml.pt_een()
------------------------------------------------------------------
and calling that gives the same exception, which is strange, as as manager
it's ok.
Changing the line in ZPT pt_een from:
<div tal:content="structure a/pt_twee">a/pt_twee</div>
to:
<div tal:content="structure python: a.pt_twee()">a/pt_twee</div>
results in:
Error Type: TALESError
Error Value: exceptions.AttributeError on pt_twee
in <PythonExpr a.pt_twee()>
So, what Martijn Faassen concluded (thanks for looking into it!):
- when logged in as manager, Zope (correctly!) applies the acquired
ZPT 'pt_twee' to the XML node;
- when not, even with a proxy role, Zope (incorrectly!) tries to
fetch the 'pt_twee' *index* of the XML node -
getitem(a, 'pt_twee'); probably because of some security issue(?)
Could someone explain this, or confirm this is a bug?
Again, all files are accessible on my site mentioned above, in case you
want to see the full traceback etc.
- Willem