[ZPT] PageTemplateFile s and product attributes

Troy Farrell troy@entheossoft.com
Wed, 11 Dec 2002 13:10:11 -0600 

Thanks for responding.  You're really good at guessing.  Lemme write 
some code so it makes more sense:

I have a pt:

   security.declareProtected('View management screens', 'manage_workspace')
   manage_workspace = PageTemplateFile('zpt/manage_workspace', 
globals(), __name__='manage_workspace')

The pertient code in the zpt is this:

<html metal:use-macro="here/manage_minimal_template/macros/master">
   <head>
   </head>
   <body>
     <div id="main" metal:fill-slot="main">

     <span tal:content="here/icon" />

     </div>
   </body>
</html>


The error message:

   Error Type: Unauthorized
   Error Value: You are not allowed to access icon in this context

TB:

Traceback (innermost last):
   Module ZPublisher.Publish, line 98, in publish
   Module ZPublisher.mapply, line 88, in mapply
   Module ZPublisher.Publish, line 39, in call_object
   Module Shared.DC.Scripts.Bindings, line 252, in __call__
   Module Shared.DC.Scripts.Bindings, line 283, in _bindAndExec
   Module Products.PageTemplates.PageTemplateFile, line 96, in _exec
   Module Products.PageTemplates.PageTemplate, line 95, in pt_render
    - <PageTemplateFile at /clients/stuff/stuff/>
   Module TAL.TALInterpreter, line 186, in __call__
   Module TAL.TALInterpreter, line 230, in interpret
   Module TAL.TALInterpreter, line 689, in do_useMacro
   Module TAL.TALInterpreter, line 230, in interpret
   Module TAL.TALInterpreter, line 712, in do_defineSlot
   Module TAL.TALInterpreter, line 230, in interpret
   Module TAL.TALInterpreter, line 483, in do_insertText_tal
   Module Products.PageTemplates.TALES, line 223, in evaluateText
   Module Products.PageTemplates.TALES, line 217, in evaluate
    - URL: manage_workspace
    - Line 8, Column 4
    - Expression: standard:'here/icon'
    - Names:
       {'container': <DateKiln instance at 918e298>,
        'default': <Products.PageTemplates.TALES.Default instance at 
0x86d457c>,
        'here': <DateKiln instance at 918e298>,
        'loop': <SafeMapping instance at 90ff9e0>,
        'modules': 
<Products.PageTemplates.ZRPythonExpr._SecureModuleImporter instance at 
0x86c3c74>,
        'nothing': None,
        'options': {'args': ()},
        'repeat': <SafeMapping instance at 90ff9e0>,
        'request': <HTTPRequest, 
URL=http://localhost:8080/clients/stuff/eventcalendar/manage_workspace>,
        'root': <Application instance at 88f97f0>,
        'template': <PageTemplateFile at /clients/stuff/stuff/>,
        'traverse_subpath': [],
        'user': troy}
   Module Products.PageTemplates.Expressions, line 206, in __call__
   Module Products.PageTemplates.Expressions, line 194, in _eval
   Module Products.PageTemplates.Expressions, line 150, in _eval
    - __traceback_info__: here
   Module Products.PageTemplates.Expressions, line 346, in 
restrictedTraverse
    - __traceback_info__: {'path': ['icon'], 
'TraversalRequestNameStack': []}
Unauthorized: You are not allowed to access icon in this context


I know that's long, but that's the meat of the issue.  Any hints?
Thanks.
Troy

Clemens Robbenhaar wrote:
> Hi Troy,
> 
>  what kind of error message do You get, actually ?
> 
>  > Greetings guys and gals.
>  > I have a security related question.  It appears to be related to the 
>  > question posed by Dylan at
>  > http://lists.zope.org/pipermail/zpt/2002-December/004112.html
>  > 
>  > I have a python product.  It uses PageTemplateFiles.  It uses them for 
>  > the management interface.  If I were smart, I would use the same method 
>  > that everyone else does to build the tabs and banner, but I'm not, so 
>  > I've written my own (actually, I just wanted them to validate - is that 
>  > too much to ask?)  The problem comes when the PageTemplateFile tries to 
>  > access my products 'icon' attribute, or any other attribute (should I 
>  > say property?)  If I create the exact same PageTemplate in the ZODB, it 
>  > works fine, but not coming from the filesystem.  If I use 
>  > security.setDefaultAccess("allow"), it works.  Basically, my question is 
>  > this:
>  > 
>  > How can a PageTemplate file be set in a product so that it can access 
>  > the product's attributes without using security.setDefaultAccess("allow")?
>  > 
>  > Again: ZPT in ZODB works, PageTemplateFile does not work.
>  > 
> 
>  I assume You want to visit these pages with a manager role anyway.
> 
>  Then You could give the file system page a protection requiring manager
> role, like this:
> 
>     manage_tab = PageTemplateFile(
>         'www/manage.zpt',
>         globals(),  __name__='manage_tab')
> 
>     security.declareProtected('View management screens', 'manage_tab')
> 
> It then will pass down the manager role when accessing other attributes
> in Your class. (With Zope2.5.1 due to catching away Unauthorized errors,
> this did not work properly sometimes ... with Zope2.6.0 this is not an
> issue any longer.)
> 
> However I am not sure it this helps -- guess I have not understand Your
> problem all together.
> 
> Regards,
> Clemens