subject:"\[Zope\] You are not allowed to access 'a particular str' in this context"

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-26 Thread Dieter Maurer

Garito wrote at 2008-1-26 13:37 +0100:
>I don't understand quite well this explanation but it interest me a lot (as
>you can read if you search for my all questions about __bobo_traverse__)
>do it need I put the __allow_access_to_unprotected_subobjects__=1 in the
>__bobo_traverse__ or in other place?

The Zope weakness becomes obvious when "__bobo_traverse__"
returns an object without security declarations.

To work around this weakness you have to ensure that
"__bobo_traverse__" returns an object
with security declarations (in fact, it need to be public).
This means, you must set the security declarations on the
object returned by "__bobo_traverse__".

> ...
>2008/1/25, Dieter Maurer <[EMAIL PROTECTED]>:
>>
>> Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
>> >Dieter Maurer schrieb:
>> > ...
>> >> I expect that the "message" object implements a "__bobo_traverse__"
>> >> method (or gets one through "Five").
>> >> Zope is a bit stupid when "__bobo_traverse__" returns an object
>> >> without security declarations -- such as e.g. a string.
>> >> In this case, it insists that "getattr" must return the same object
>> >> and raise "Unauthorized" otherwise.
>> >
>> >Time   2008/01/25 12:01:53.125 GMT+1
>> >User Name (User Id)DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
>> >Request URL
>> http://devportal:6080/portal_communications/manage_messagequeue
>> >Exception Type Unauthorized
>> >Exception ValueYou are not allowed to access 'a particular str'
>> in
>> >this context
>> > ...
>> >   - __traceback_info__: message
>> >  Module Products.PageTemplates.Expressions, line 338, in
>> restrictedTraverse
>> >   - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack':
>> []}
>> >Unauthorized: You are not allowed to access 'a particular str' in this
>> >context
>>
>> This may be compatible with my assumption.
>>
>> Check line 338 in "Products/PageTemplates/Expressions.py".
>> When this line is in the block handling the "__bobo_traverse__",
>> then you have confirmed my assumption.
>>
>>
>> In this case, you must either get rid of the message's "__bobo_traverse__"
>> or let it return an object with security declarations (such
>> as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1"
>> and "__roles__=None") or ensure that a "getattr" results in the same
>> str or fix Zope.



-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-26 Thread Garito

Hi!
I don't understand quite well this explanation but it interest me a lot (as
you can read if you search for my all questions about __bobo_traverse__)
do it need I put the __allow_access_to_unprotected_subobjects__=1 in the
__bobo_traverse__ or in other place?

I my last try to solve this issue in my case I try the __roles__ = None but
this was an uncomplete solution

Please can you complete my information?

Thanks!

2008/1/25, Dieter Maurer <[EMAIL PROTECTED]>:
>
> Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
> >Dieter Maurer schrieb:
> > ...
> >> I expect that the "message" object implements a "__bobo_traverse__"
> >> method (or gets one through "Five").
> >> Zope is a bit stupid when "__bobo_traverse__" returns an object
> >> without security declarations -- such as e.g. a string.
> >> In this case, it insists that "getattr" must return the same object
> >> and raise "Unauthorized" otherwise.
> >
> >Time   2008/01/25 12:01:53.125 GMT+1
> >User Name (User Id)DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
> >Request URL
> http://devportal:6080/portal_communications/manage_messagequeue
> >Exception Type Unauthorized
> >Exception ValueYou are not allowed to access 'a particular str'
> in
> >this context
> > ...
> >   - __traceback_info__: message
> >  Module Products.PageTemplates.Expressions, line 338, in
> restrictedTraverse
> >   - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack':
> []}
> >Unauthorized: You are not allowed to access 'a particular str' in this
> >context
>
> This may be compatible with my assumption.
>
> Check line 338 in "Products/PageTemplates/Expressions.py".
> When this line is in the block handling the "__bobo_traverse__",
> then you have confirmed my assumption.
>
>
> In this case, you must either get rid of the message's "__bobo_traverse__"
> or let it return an object with security declarations (such
> as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1"
> and "__roles__=None") or ensure that a "getattr" results in the same
> str or fix Zope.
>
>
> --
> Dieter
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>



-- 
Mis Cosas
http://blogs.sistes.net/Garito
Zope Smart Manager
http://blogs.sistes.net/Garito/670
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-25 Thread Dieter Maurer

Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
>Dieter Maurer schrieb:
> ...
>> I expect that the "message" object implements a "__bobo_traverse__"
>> method (or gets one through "Five").
>> Zope is a bit stupid when "__bobo_traverse__" returns an object
>> without security declarations -- such as e.g. a string.
>> In this case, it insists that "getattr" must return the same object
>> and raise "Unauthorized" otherwise.
>
>Time   2008/01/25 12:01:53.125 GMT+1
>User Name (User Id)DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
>Request URLhttp://devportal:6080/portal_communications/manage_messagequeue
>Exception Type Unauthorized
>Exception ValueYou are not allowed to access 'a particular str' in
>this context
> ...
>   - __traceback_info__: message
>  Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse
>   - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []}
>Unauthorized: You are not allowed to access 'a particular str' in this
>context

This may be compatible with my assumption.

Check line 338 in "Products/PageTemplates/Expressions.py".
When this line is in the block handling the "__bobo_traverse__",
then you have confirmed my assumption.


In this case, you must either get rid of the message's "__bobo_traverse__"
or let it return an object with security declarations (such
as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1"
and "__roles__=None") or ensure that a "getattr" results in the same
str or fix Zope.


-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-25 Thread Gerhard Schmidt

Dieter Maurer schrieb:
> Gerhard Schmidt wrote at 2008-1-24 16:56 +0100:
>> I have a rather strange Problem.
>>
>> I have a PersistentList containing PersistentMapping objects.
>>
>> [{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24
>> 16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 
>> 'Date':
>> DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission
>> test', 'ID': '[EMAIL PROTECTED]'}]
>>
>> When do a tal:repeat="message here/getMessages" and a tal:replace="message"
>> everything functions as expected. When i try tal:replace="message/ID" I get 
>> an
>> Unauthorized Exception "You are not allowed to access 'a particular str' in
>> this context"
> 
> Reconfigure your "error_log" object to not ignore "Unauthorized" exceptions,
> reproduce the error and then look at the corresponding traceback.
> 
> I expect that the "message" object implements a "__bobo_traverse__"
> method (or gets one through "Five").
> Zope is a bit stupid when "__bobo_traverse__" returns an object
> without security declarations -- such as e.g. a string.
> In this case, it insists that "getattr" must return the same object
> and raise "Unauthorized" otherwise.

Time2008/01/25 12:01:53.125 GMT+1
User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
Request URL http://devportal:6080/portal_communications/manage_messagequeue
Exception Type  Unauthorized
Exception Value You are not allowed to access 'a particular str' in
this context

Traceback (innermost last):
  Module ZPublisher.Publish, line 115, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 41, in call_object
  Module Shared.DC.Scripts.Bindings, line 311, in __call__
  Module Shared.DC.Scripts.Bindings, line 348, in _bindAndExec
  Module Products.PageTemplates.PageTemplateFile, line 113, in _exec
  Module Products.PageTemplates.PageTemplate, line 104, in pt_render
   - 
  Module TAL.TALInterpreter, line 238, in __call__
  Module TAL.TALInterpreter, line 281, in interpret
  Module TAL.TALInterpreter, line 715, in do_condition
  Module TAL.TALInterpreter, line 281, in interpret
  Module TAL.TALInterpreter, line 691, in do_loop_tal
  Module TAL.TALInterpreter, line 281, in interpret
  Module TAL.TALInterpreter, line 455, in do_optTag_tal
  Module TAL.TALInterpreter, line 437, in no_tag
  Module TAL.TALInterpreter, line 281, in interpret
  Module TAL.TALInterpreter, line 531, in do_insertText_tal
  Module Products.PageTemplates.TALES, line 227, in evaluateText
  Module Products.PageTemplates.TALES, line 221, in evaluate
   - URL: manage_messagequeue
   - Line 17, Column 9
   - Expression: standard:'message/ID'
   - Names:
  {'container': ,
   'context': ,
   'default': ,
   'here': ,
   'loop': ,
   'modules':
,
   'nothing': None,
   'options': {'args': ()},
   'repeat': ,
   'request': http://devportal:6080/portal_communications/manage_messagequeue>,
   'root': ,
   'template': ,
   'traverse_subpath': [],
   'user': }
  Module Products.PageTemplates.Expressions, line 185, in __call__
  Module Products.PageTemplates.Expressions, line 173, in _eval
  Module Products.PageTemplates.Expressions, line 127, in _eval
   - __traceback_info__: message
  Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse
   - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []}
Unauthorized: You are not allowed to access 'a particular str' in this
context

Regards
 Gerhard

-- 
-
Gerhard Schmidt   | E-Mail: [EMAIL PROTECTED]
TU-München|
WWW & Online Services |
Tel: 089/289-25270|
Fax: 089/289-25257| PGP-Publickey auf Anfrage

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-25 Thread Gerhard Schmidt

Martijn Jacobs schrieb:
> Does this problem only occure with message/ID ? Or also with
> message/Message or message/SenderId ?

The problem is on all Strings. DateTime Objects working.

> Which version of zope are you using?

Zope 2.9.7-final, python 2.4.4, freebsd7

Gerhard
-- 
-
Gerhard Schmidt   | E-Mail: [EMAIL PROTECTED]
TU-München|
WWW & Online Services |
Tel: 089/289-25270|
Fax: 089/289-25257| PGP-Publickey on Request

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-24 Thread Dieter Maurer

Gerhard Schmidt wrote at 2008-1-24 16:56 +0100:
>I have a rather strange Problem.
>
>I have a PersistentList containing PersistentMapping objects.
>
>[{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24
>16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date':
>DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission
>test', 'ID': '[EMAIL PROTECTED]'}]
>
>When do a tal:repeat="message here/getMessages" and a tal:replace="message"
>everything functions as expected. When i try tal:replace="message/ID" I get an
> Unauthorized Exception "You are not allowed to access 'a particular str' in
>this context"

Reconfigure your "error_log" object to not ignore "Unauthorized" exceptions,
reproduce the error and then look at the corresponding traceback.

I expect that the "message" object implements a "__bobo_traverse__"
method (or gets one through "Five").
Zope is a bit stupid when "__bobo_traverse__" returns an object
without security declarations -- such as e.g. a string.
In this case, it insists that "getattr" must return the same object
and raise "Unauthorized" otherwise.



-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-24 Thread Martijn Jacobs

Does this problem only occure with message/ID ? Or also with 
message/Message or message/SenderId ?


Which version of zope are you using?


Kind regards,


Martijn.

Hi all,

I have a rather strange Problem.

I have a PersistentList containing PersistentMapping objects.

[{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24
16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date':
DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission
test', 'ID': '[EMAIL PROTECTED]'}]

When do a tal:repeat="message here/getMessages" and a tal:replace="message"
everything functions as expected. When i try tal:replace="message/ID" I get an
 Unauthorized Exception "You are not allowed to access 'a particular str' in
this context"

I can access all DateTime objects. Only the strings a not allowed.

There is no difference when getMessages return of the Original list and when I
 build a new list with copies of the PersistentMapping objects.

To get this working I have to create new Dictionary from the Persistent
Mappings add them to an normal List and return this list.

ret = []

for test in self.msglist :
temptest = {}
for (key,value) in test.items() :
temptest[key] = value
ret.append(temptest)
return ret

That's a real performance killer as the list is read quite frequently.

Any Idea how to fix this.


Gerhard
  



___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce

 http://mail.zope.org/mailman/listinfo/zope-dev )
  



--
Martijn Jacobs
Four Digits, Internet Solutions

a: Willemsplein 15-1 6811 KB Arnhem NL 
kvk: 09162137 | btw: 8161.22.234.B01

e-mail: [EMAIL PROTECTED] | web: http://www.fourdigits.nl
tel: +31 (0)26 44 22 700 | fax: +31 (0)84 22 06 117 

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] You are not allowed to access 'a particular str' in this context

2008-01-24 Thread Gerhard Schmidt

Hi all,

I have a rather strange Problem.

I have a PersistentList containing PersistentMapping objects.

[{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24
16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date':
DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission
test', 'ID': '[EMAIL PROTECTED]'}]

When do a tal:repeat="message here/getMessages" and a tal:replace="message"
everything functions as expected. When i try tal:replace="message/ID" I get an
 Unauthorized Exception "You are not allowed to access 'a particular str' in
this context"

I can access all DateTime objects. Only the strings a not allowed.

There is no difference when getMessages return of the Original list and when I
 build a new list with copies of the PersistentMapping objects.

To get this working I have to create new Dictionary from the Persistent
Mappings add them to an normal List and return this list.

ret = []

for test in self.msglist :
temptest = {}
for (key,value) in test.items() :
temptest[key] = value
ret.append(temptest)
return ret

That's a real performance killer as the list is read quite frequently.

Any Idea how to fix this.


Gerhard
-- 
-
Gerhard Schmidt   | E-Mail: [EMAIL PROTECTED]
TU-München|
WWW & Online Services |
Tel: 089/289-25270|
Fax: 089/289-25257| PGP-Publickey on request




signature.asc
Description: OpenPGP digital signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

[Zope] You are not allowed to access 'a particular str' in this context

8 matches

Site Navigation

Mail list logo

Footer information