[ZPT] using TALES expressions elsewhere
Martijn Faassen
faassen@vet.uu.nl
Thu, 4 Oct 2001 21:42:02 +0200
Hi there,
I'm attempting to use TALES expressions in Formulator (to enable
users to override field properties in a flexible manner).
So far I've been able to introduce it with a minimal amount of code
change, but there are still some issues remaining. One is security.
In a TALES Python expression that I've passed some keyword parameters
to for context ('field' and 'form' in this case, so far), I call
a Python script that is in the acquisition context:
python: field.my_python_script()
This works just fine. Now I have attempted the same, but as
anonymous while anonymous had no permission to 'view'
my_python_script, to make sure the security issues are
okay.
With the latest released version, I received the following traceback:
(sorry for the length, read on underneath it)
Error Type: TALESError
Error Value: exceptions.AttributeError on my_python_script in ""
Traceback (innermost last):
File /home/faassen/XMLZope/lib/python/ZPublisher/Publish.py, line 223, in publish_module
File /home/faassen/XMLZope/lib/python/ZPublisher/Publish.py, line 187, in publish
File /home/faassen/XMLZope/lib/python/Zope/__init__.py, line 226, in zpublisher_exception_hook
(Object: LockableItem)
File /home/faassen/XMLZope/lib/python/ZPublisher/Publish.py, line 171, in publish
File /home/faassen/XMLZope/lib/python/ZPublisher/mapply.py, line 160, in mapply
(Object: index_html)
File /home/faassen/XMLZope/lib/python/ZPublisher/Publish.py, line 112, in call_object
(Object: index_html)
File /home/faassen/XMLZope/lib/python/OFS/DTMLMethod.py, line 194, in __call__
(Object: index_html)
File /home/faassen/XMLZope/lib/python/DocumentTemplate/DT_String.py, line 546, in __call__
(Object: index_html)
File /home/faassen/XMLZope/lib/python/DocumentTemplate/DT_Util.py, line 231, in eval
(Object: form.render())
(Info: form)
File <string>, line 2, in f
(Object: guarded_getattr)
File /home/faassen/XMLZope/lib/python/Products/Formulator/Form.py, line 263, in render
(Object: LockableItem)
File /home/faassen/XMLZope/lib/python/Products/Formulator/Field.py, line 176, in render
(Object: sf)
File /home/faassen/XMLZope/lib/python/Products/Formulator/Field.py, line 150, in _render_helper
(Object: sf)
File /home/faassen/XMLZope/lib/python/Products/Formulator/Field.py, line 163, in _get_default
(Object: sf)
File /home/faassen/XMLZope/lib/python/Products/Formulator/Field.py, line 96, in get_value
(Object: sf)
File /home/faassen/XMLZope/lib/python/Products/Formulator/TALESField.py, line 37, in __call__
File /home/faassen/XMLZope/lib/python/Products/PageTemplates/TALES.py, line 295, in evaluate
File /home/faassen/XMLZope/lib/python/Products/PageTemplates/ZRPythonExpr.py, line 121, in __call__
(Info: field.my_python_script())
File Python expression "field.my_python_script()", line 2, in f
(Object: guarded_getattr)
File /home/faassen/XMLZope/lib/python/AccessControl/ZopeGuards.py, line 120, in guarded_getattr
(Object: sf)
TALESError: (see above)
Firstly, I'm glad that there is an exception. But, this isn't a regular
security exception, so I'm wondering if I should be doing any other security
checks to make sure nothing untowards can happen. In addition it would
also be nice to give a message to the user that is a bit more readable
to the developer than this one.
Thanks,
Martijn