Re: [Zope] acessing parameters in a helper class

[Dieter Maurer]

Max M writes:
  
  dtml-in getAllComments
  idtml-var author/ibr
  .
  Traceback:
  
  Unauthorized: author
 
  
  def addComment(self, comment='', author='' , RESPONSE=None):
  "Adds a comment"
  self.comments.append(aComment(comment, author))
  self._p_changed = 1 # Trigger persistence
  RESPONSE.redirect('index_html')
  
  def getAllComments(self):
  "returns a list of all comments"
  return self.comments

Your "getAllComments" returns a list of bare (unwrapped) 
objects. This removes any possibility to acquire permissions.
You should probably rewrite you "getAllComments" like this:

def getAllComments(self):
"returns a list of all comments"
r= []
for c in self.comments:
r.append(r.__of__(self))

This would require that "aComment" inherits from
"Acquisition.Implicit" (or "Explicit").

Furthermore, your "aComment" does not specify any security
rules. With the news Zope 2.2 security policy, this means
access is prohibited.
You may consider to provide security rules.

There is a nice document from Brian which explains your options.


Dieter

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] acessing parameters in a helper class

[Max M]

From: Dieter Maurer

You may consider to provide security rules.

There is a nice document from Brian which explains your options.

Yes there is indeed. I just hadn't noticed it before.

I have just added: "__allow_access_to_unprotected_subobjects__=1" to the
aComment class and everythings dandy. Just what the doctor ordered.

Brian also mentions in his document that a "__roles__ = None" should do the
same for the class, but it doesn't. Don't know why.

class aComment:
' '
__allow_access_to_unprotected_subobjects__=1 # This works
#__roles__= None # This doesn't

def __init__(self, comment, author):
self.comment = comment
self.author  = author

Thanks for the info

Max M

Max M. W. Rasmussen,Denmark.   New Media Director
private: [EMAIL PROTECTED] work: [EMAIL PROTECTED]
-
Specialization is for insects.  -  Robert A. Heinlein



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] acessing parameters in a helper class

[Max M]

I have the below class "mxm_guestbook_base" that is subclassed by a zClass.
So far so good.

But when in a "index_html" dtml-method I try to acces the value "author" of
the "aComment" class returned in the "getAllComments" method like so:

dtml-in getAllComments
dtml-var author
dtml-var comment fmt=structured-text
/dtml-in

I get the following traceback:

---

Traceback (innermost last):
  File C:\mxmZope\lib\python\ZPublisher\Publish.py, line 222, in
publish_module
  File C:\mxmZope\lib\python\ZPublisher\Publish.py, line 187, in publish
  File C:\mxmZope\lib\python\ZPublisher\Publish.py, line 171, in publish
  File C:\mxmZope\lib\python\ZPublisher\mapply.py, line 160, in mapply
(Object: index_html)
  File C:\mxmZope\lib\python\ZPublisher\Publish.py, line 112, in call_object
(Object: index_html)
  File C:\mxmZope\lib\python\OFS\DTMLMethod.py, line 172, in __call__
(Object: index_html)
  File C:\mxmZope\lib\python\DocumentTemplate\DT_String.py, line 528, in
__call__
(Object: index_html)
  File C:\mxmZope\lib\python\DocumentTemplate\DT_In.py, line 691, in
renderwob
(Object: comments)
  File C:\mxmZope\lib\python\OFS\DTMLMethod.py, line 194, in validate
(Object: index_html)
  File C:\mxmZope\lib\python\AccessControl\SecurityManager.py, line 139, in
validate
  File C:\mxmZope\lib\python\AccessControl\ZopeSecurityPolicy.py, line 159,
in validate
Unauthorized: author

---

It seems that I have a problem accessing values in the objects inserted in
self.comments list.

If I just self.append('some comment') directly as a string I have no
problems acessing the comments as "sequence-item". It is only when inserting
an object into the list I cannot access it.

Anybody has any ideas?

---

index_html (dtml-method):

---

dtml-var standard_html_header
[a href="add_comment"Ny kommentar/a]br
dtml-in getAllComments
idtml-var author/ibr
dtml-var comment fmt=structured-textp
centerhr height=1 noshade width=90%/center
/dtml-inbr
[a href="add_comment"Ny kommentar/a]br
dtml-var standard_html_footer

---

class aComment:
' '
def __init__(self, comment, author):
self.comment = comment
self.author  = author

class mxm_guestbook_base:

"""
A base class for guestbook products
"""

def __init__(self):
self.comments = []

def addComment(self, comment='', author='' , RESPONSE=None):
"Adds a comment"
self.comments.append(aComment(comment, author))
self._p_changed = 1 # Trigger persistence
RESPONSE.redirect('index_html')

def deleteAllComments(self, RESPONSE=None):
"Deletes all comments"
self.comments = []
RESPONSE.redirect('index_html')

def deleteComment(self, id, RESPONSE=None):
"Deletes a single comment"
del(self.comments[id])
self._p_changed = 1 # Trigger persistence
RESPONSE.redirect('index_html')

def getAllComments(self):
"returns a list of all comments"
return self.comments
---

Regards

Max M

Max M. W. Rasmussen,Denmark.   New Media Director
private: [EMAIL PROTECTED] work: [EMAIL PROTECTED]
-
Specialization is for insects.  -  Robert A. Heinlein


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )