[Zope-dev] [Problem] Zope/Python2.x incompatibility
Dear Zopistas,
I just met the following problem caused by a misfortunate name
clash between Python2.x and Zope:
DTML-Document:
&dtml-p;
When this document is rendered, Shane's wonderful ZDebug tool reports:
Error type: Unauthorized
Error value: Access denied for because
its container, 'title', has no security assertions.
Innermost method: /Test/wt/Target
Namespace Stack (innermost entry at top)
ID Type
(N/A) mapping with keys: ['p']
? InstanceDict
? DocumentTemplate.DT_InSV.sequence_variables
(N/A) mapping with keys: ['propertyIds']
(N/A) mapping with keys: ['document_id', 'document_title']
TargetInstanceDict
TargetInstanceDict
REQUEST ZPublisher.HTTPRequest.HTTPRequest
problem in "_[p]".
What happens here?
"dtml-in" pushes the property id "title" (a string) onto the namespace
stack. It is the next-to top "InstanceDict" entry.
Starting with Python 2.0 (maybe 1.6), string objects have
methods, among them "title".
When "title" is looked up in the namespace, the "title" of
the string object is found and not the one of the DTML Document.
This wrong "title" method gives an "Unauthorized" exception because
string objects do not participate in Zope's security mechanism.
Danger
Any string object on the namespace can prevent access to
the "title" property. Propably only "dtml-in" and
(if used wrongly) "dtml-with" are affected.
Thank you Shane for the wonderfull "ZDebug".
Without it, it would have been much more difficult to analyse
this problem.
Dieter
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] XXXPythonScripts release 1.0
After seeing the demand for this in a thread on ZopeZen, I've decided to release XXXPythonScripts, at: http://www.zope.org/Members/4am/XXXPythonScripts This Product adds a new Script meta-type: "Script (Python, unsafe)". You can only create or edit these objects when your Zope has been started with a special environment variable set. The envar name is whimsical, but this isn't a joke; By using this Product you add a risk to your system equivalent to using Telnet to log in as the Zope user. If somebody sniffs/guesses your login and this is turned on, they can write Scripts to do whatever the Zope process user can do! These are compatible with Zope 2.3.x only. I have no immediate plans to make them work with 2.4.x, but it shouldn't be hard. Cheers, Evan @ digicool & 4-am ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCVSFolder not running on windows
Hi Robert, Sorry.. ZCVSFolder is not supported for Windows. Patches accepted! -steve Robert Rottermann wrote: > > Hi there, > > I installed the newest version of ZCVSMFolder on my windowsbox. > > As it uses fork it can not work. However I used a former version under > windows. Is this not possible anymore? > > thanks for any insigth > > Robert > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
