subject:"\[Zope\] DTML Document class Id bug, somewhat fixed. But now setName ..."

[Zope] DTML Document class Id bug, somewhat fixed. But now setName ...

2000-06-29 Thread Walter A. Aprile



Hi,
I had (have) a problem with the Id property on an Article class that
subclasses the DTML document.

And indeed the problem was with the fact that I was subclassing the
DTML Document, which as explained in http://www.zope.org/Members/AlexR/ZClassIDBug
somewhat mangles the Id property. Public thanks to Rik Hoekstra 
[EMAIL PROTECTED]
for suggesting that. 
I added this fix (from the page I mention above) to the constructor method,

!--#with "myZClass.createInObjectManager(REQUEST['id'], REQUEST)"--
dtml-call "setName(REQUEST['id'])"
!--#/with--

And when I try creating a new object, it blows up in my face with this
error:

Unauthorized

  You are not authorized to access setName. 

  Traceback (innermost last):
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 214, in publish_module
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 179, in publish
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 165, in publish
File /usr/local/zope/lib/python/ZPublisher/mapply.py, line 160, in mapply
  (Object: ArticleClass_add)
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 102, in call_object
  (Object: ArticleClass_add)
File /usr/local/zope/lib/python/OFS/DTMLMethod.py, line 150, in __call__
  (Object: ArticleClass_add)
File /usr/local/zope/lib/python/DocumentTemplate/DT_String.py, line 502, in 
__call__
  (Object: ArticleClass_add)
File /usr/local/zope/lib/python/DocumentTemplate/DT_With.py, line 148, in render
  (Object: ArticleClass.createInObjectManager(REQUEST['id'], REQUEST))
File /usr/local/zope/lib/python/DocumentTemplate/DT_Util.py, line 329, in eval
  (Object: setName(REQUEST['id']))
  (Info: setName)
  Unauthorized: (see above)


I _think_ that my user on this system has enough permissions to do this. Should I 
just ditch the class and recreate it (under the hypothesis that I botched something
while I was creating it the first time), or should I pester the guy that made my
user for additional, God-like, power ? And what is so special about setName ?

This is under:
Zope version: Zope 2.1.6 (binary release, python 1.5.2, solaris-2.6-sparc) 
Python version: 1.5.2 (#8, Nov 16 1999, 10:05:41) [GCC 2.8.1] 

Thanks in advance,
Walter

-- Vita brevis, ars longa, occasio celeris, experimentum periculosum,
judicium difficile. Attention: Un train peut en cacher un autre
-- Eris aprueba este email ! -- http://redescolar.ilce.edu.mx


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] DTML Document class Id bug, somewhat fixed. But now setName ...

2000-06-29 Thread Brian Lloyd


   And indeed the problem was with the fact that I was 
 subclassing the
 DTML Document, which as explained in 
 http://www.zope.org/Members/AlexR/ZClassIDBug
 somewhat mangles the Id property. Public thanks to Rik 
 Hoekstra [EMAIL PROTECTED]
 for suggesting that. 
   I added this fix (from the page I mention above) to the 
 constructor method,
 
 !--#with "myZClass.createInObjectManager(REQUEST['id'], REQUEST)"--
 dtml-call "setName(REQUEST['id'])"
 !--#/with--
 
 And when I try creating a new object, it blows up in my face with this
 error:

Walter -

this is sort of a tricky one :(  The problem is that the 
ZClass id bug is a legitimate bug (fixed in the 2.2 series), 
but your fix uses a method that should never have been 
accessible in the first place (and in fact the hotfix makes
it inaccessible, as it should have been all along).

So there are two things you could do here to get along until
you can upgrade to 2.2. One, you could edit the __init__.py
in the Hotfix product's directory and comment out the line:

DocumentTemplate.DT_String.String.setName__roles__=[]

...and restart Zope. That will make the setName method 
unprotected again though, so don't do this lightly. By 
unprotected I mean that other people could call setName 
on _your_ objects and screw things up if they wanted to.

An alternative would be to create an external method like
the following in your class:

def temporary_hack(self, id):
  self._setId(id)


...and try using:

  !--#with "myZClass.createInObjectManager(REQUEST['id'], REQUEST)"--
  dtml-call "temporary_hack(REQUEST['id'])"
  !--#/with--


That should let you solve it without reopening a security hole.

Hope this helps!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] DTML Document class Id bug, somewhat fixed. But now setName ...

RE: [Zope] DTML Document class Id bug, somewhat fixed. But now setName ...

2 matches

Site Navigation

Mail list logo

Footer information