Re: [Zope] You are not allowed to access 'a particular str' in this context
Garito wrote at 2008-1-26 13:37 +0100: >I don't understand quite well this explanation but it interest me a lot (as >you can read if you search for my all questions about __bobo_traverse__) >do it need I put the __allow_access_to_unprotected_subobjects__=1 in the >__bobo_traverse__ or in other place? The Zope weakness becomes obvious when "__bobo_traverse__" returns an object without security declarations. To work around this weakness you have to ensure that "__bobo_traverse__" returns an object with security declarations (in fact, it need to be public). This means, you must set the security declarations on the object returned by "__bobo_traverse__". > ... >2008/1/25, Dieter Maurer <[EMAIL PROTECTED]>: >> >> Gerhard Schmidt wrote at 2008-1-25 12:04 +0100: >> >Dieter Maurer schrieb: >> > ... >> >> I expect that the "message" object implements a "__bobo_traverse__" >> >> method (or gets one through "Five"). >> >> Zope is a bit stupid when "__bobo_traverse__" returns an object >> >> without security declarations -- such as e.g. a string. >> >> In this case, it insists that "getattr" must return the same object >> >> and raise "Unauthorized" otherwise. >> > >> >Time 2008/01/25 12:01:53.125 GMT+1 >> >User Name (User Id)DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) >> >Request URL >> http://devportal:6080/portal_communications/manage_messagequeue >> >Exception Type Unauthorized >> >Exception ValueYou are not allowed to access 'a particular str' >> in >> >this context >> > ... >> > - __traceback_info__: message >> > Module Products.PageTemplates.Expressions, line 338, in >> restrictedTraverse >> > - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': >> []} >> >Unauthorized: You are not allowed to access 'a particular str' in this >> >context >> >> This may be compatible with my assumption. >> >> Check line 338 in "Products/PageTemplates/Expressions.py". >> When this line is in the block handling the "__bobo_traverse__", >> then you have confirmed my assumption. >> >> >> In this case, you must either get rid of the message's "__bobo_traverse__" >> or let it return an object with security declarations (such >> as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1" >> and "__roles__=None") or ensure that a "getattr" results in the same >> str or fix Zope. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] You are not allowed to access 'a particular str' in this context
Hi! I don't understand quite well this explanation but it interest me a lot (as you can read if you search for my all questions about __bobo_traverse__) do it need I put the __allow_access_to_unprotected_subobjects__=1 in the __bobo_traverse__ or in other place? I my last try to solve this issue in my case I try the __roles__ = None but this was an uncomplete solution Please can you complete my information? Thanks! 2008/1/25, Dieter Maurer <[EMAIL PROTECTED]>: > > Gerhard Schmidt wrote at 2008-1-25 12:04 +0100: > >Dieter Maurer schrieb: > > ... > >> I expect that the "message" object implements a "__bobo_traverse__" > >> method (or gets one through "Five"). > >> Zope is a bit stupid when "__bobo_traverse__" returns an object > >> without security declarations -- such as e.g. a string. > >> In this case, it insists that "getattr" must return the same object > >> and raise "Unauthorized" otherwise. > > > >Time 2008/01/25 12:01:53.125 GMT+1 > >User Name (User Id)DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) > >Request URL > http://devportal:6080/portal_communications/manage_messagequeue > >Exception Type Unauthorized > >Exception ValueYou are not allowed to access 'a particular str' > in > >this context > > ... > > - __traceback_info__: message > > Module Products.PageTemplates.Expressions, line 338, in > restrictedTraverse > > - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': > []} > >Unauthorized: You are not allowed to access 'a particular str' in this > >context > > This may be compatible with my assumption. > > Check line 338 in "Products/PageTemplates/Expressions.py". > When this line is in the block handling the "__bobo_traverse__", > then you have confirmed my assumption. > > > In this case, you must either get rid of the message's "__bobo_traverse__" > or let it return an object with security declarations (such > as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1" > and "__roles__=None") or ensure that a "getattr" results in the same > str or fix Zope. > > > -- > Dieter > ___ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) > -- Mis Cosas http://blogs.sistes.net/Garito Zope Smart Manager http://blogs.sistes.net/Garito/670 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] You are not allowed to access 'a particular str' in this context
Gerhard Schmidt wrote at 2008-1-25 12:04 +0100: >Dieter Maurer schrieb: > ... >> I expect that the "message" object implements a "__bobo_traverse__" >> method (or gets one through "Five"). >> Zope is a bit stupid when "__bobo_traverse__" returns an object >> without security declarations -- such as e.g. a string. >> In this case, it insists that "getattr" must return the same object >> and raise "Unauthorized" otherwise. > >Time 2008/01/25 12:01:53.125 GMT+1 >User Name (User Id)DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) >Request URLhttp://devportal:6080/portal_communications/manage_messagequeue >Exception Type Unauthorized >Exception ValueYou are not allowed to access 'a particular str' in >this context > ... > - __traceback_info__: message > Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse > - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []} >Unauthorized: You are not allowed to access 'a particular str' in this >context This may be compatible with my assumption. Check line 338 in "Products/PageTemplates/Expressions.py". When this line is in the block handling the "__bobo_traverse__", then you have confirmed my assumption. In this case, you must either get rid of the message's "__bobo_traverse__" or let it return an object with security declarations (such as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1" and "__roles__=None") or ensure that a "getattr" results in the same str or fix Zope. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] You are not allowed to access 'a particular str' in this context
Dieter Maurer schrieb: > Gerhard Schmidt wrote at 2008-1-24 16:56 +0100: >> I have a rather strange Problem. >> >> I have a PersistentList containing PersistentMapping objects. >> >> [{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24 >> 16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', >> 'Date': >> DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission >> test', 'ID': '[EMAIL PROTECTED]'}] >> >> When do a tal:repeat="message here/getMessages" and a tal:replace="message" >> everything functions as expected. When i try tal:replace="message/ID" I get >> an >> Unauthorized Exception "You are not allowed to access 'a particular str' in >> this context" > > Reconfigure your "error_log" object to not ignore "Unauthorized" exceptions, > reproduce the error and then look at the corresponding traceback. > > I expect that the "message" object implements a "__bobo_traverse__" > method (or gets one through "Five"). > Zope is a bit stupid when "__bobo_traverse__" returns an object > without security declarations -- such as e.g. a string. > In this case, it insists that "getattr" must return the same object > and raise "Unauthorized" otherwise. Time2008/01/25 12:01:53.125 GMT+1 User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) Request URL http://devportal:6080/portal_communications/manage_messagequeue Exception Type Unauthorized Exception Value You are not allowed to access 'a particular str' in this context Traceback (innermost last): Module ZPublisher.Publish, line 115, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 41, in call_object Module Shared.DC.Scripts.Bindings, line 311, in __call__ Module Shared.DC.Scripts.Bindings, line 348, in _bindAndExec Module Products.PageTemplates.PageTemplateFile, line 113, in _exec Module Products.PageTemplates.PageTemplate, line 104, in pt_render - Module TAL.TALInterpreter, line 238, in __call__ Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 715, in do_condition Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 691, in do_loop_tal Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 455, in do_optTag_tal Module TAL.TALInterpreter, line 437, in no_tag Module TAL.TALInterpreter, line 281, in interpret Module TAL.TALInterpreter, line 531, in do_insertText_tal Module Products.PageTemplates.TALES, line 227, in evaluateText Module Products.PageTemplates.TALES, line 221, in evaluate - URL: manage_messagequeue - Line 17, Column 9 - Expression: standard:'message/ID' - Names: {'container': , 'context': , 'default': , 'here': , 'loop': , 'modules': , 'nothing': None, 'options': {'args': ()}, 'repeat': , 'request': http://devportal:6080/portal_communications/manage_messagequeue>, 'root': , 'template': , 'traverse_subpath': [], 'user': } Module Products.PageTemplates.Expressions, line 185, in __call__ Module Products.PageTemplates.Expressions, line 173, in _eval Module Products.PageTemplates.Expressions, line 127, in _eval - __traceback_info__: message Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []} Unauthorized: You are not allowed to access 'a particular str' in this context Regards Gerhard -- - Gerhard Schmidt | E-Mail: [EMAIL PROTECTED] TU-München| WWW & Online Services | Tel: 089/289-25270| Fax: 089/289-25257| PGP-Publickey auf Anfrage ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] You are not allowed to access 'a particular str' in this context
Martijn Jacobs schrieb: > Does this problem only occure with message/ID ? Or also with > message/Message or message/SenderId ? The problem is on all Strings. DateTime Objects working. > Which version of zope are you using? Zope 2.9.7-final, python 2.4.4, freebsd7 Gerhard -- - Gerhard Schmidt | E-Mail: [EMAIL PROTECTED] TU-München| WWW & Online Services | Tel: 089/289-25270| Fax: 089/289-25257| PGP-Publickey on Request ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] You are not allowed to access 'a particular str' in this context
Gerhard Schmidt wrote at 2008-1-24 16:56 +0100: >I have a rather strange Problem. > >I have a PersistentList containing PersistentMapping objects. > >[{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24 >16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date': >DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission >test', 'ID': '[EMAIL PROTECTED]'}] > >When do a tal:repeat="message here/getMessages" and a tal:replace="message" >everything functions as expected. When i try tal:replace="message/ID" I get an > Unauthorized Exception "You are not allowed to access 'a particular str' in >this context" Reconfigure your "error_log" object to not ignore "Unauthorized" exceptions, reproduce the error and then look at the corresponding traceback. I expect that the "message" object implements a "__bobo_traverse__" method (or gets one through "Five"). Zope is a bit stupid when "__bobo_traverse__" returns an object without security declarations -- such as e.g. a string. In this case, it insists that "getattr" must return the same object and raise "Unauthorized" otherwise. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] You are not allowed to access 'a particular str' in this context
Does this problem only occure with message/ID ? Or also with message/Message or message/SenderId ? Which version of zope are you using? Kind regards, Martijn. Hi all, I have a rather strange Problem. I have a PersistentList containing PersistentMapping objects. [{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24 16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date': DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission test', 'ID': '[EMAIL PROTECTED]'}] When do a tal:repeat="message here/getMessages" and a tal:replace="message" everything functions as expected. When i try tal:replace="message/ID" I get an Unauthorized Exception "You are not allowed to access 'a particular str' in this context" I can access all DateTime objects. Only the strings a not allowed. There is no difference when getMessages return of the Original list and when I build a new list with copies of the PersistentMapping objects. To get this working I have to create new Dictionary from the Persistent Mappings add them to an normal List and return this list. ret = [] for test in self.msglist : temptest = {} for (key,value) in test.items() : temptest[key] = value ret.append(temptest) return ret That's a real performance killer as the list is read quite frequently. Any Idea how to fix this. Gerhard ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Martijn Jacobs Four Digits, Internet Solutions a: Willemsplein 15-1 6811 KB Arnhem NL kvk: 09162137 | btw: 8161.22.234.B01 e-mail: [EMAIL PROTECTED] | web: http://www.fourdigits.nl tel: +31 (0)26 44 22 700 | fax: +31 (0)84 22 06 117 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] You are not allowed to access 'a particular str' in this context
Hi all, I have a rather strange Problem. I have a PersistentList containing PersistentMapping objects. [{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24 16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date': DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission test', 'ID': '[EMAIL PROTECTED]'}] When do a tal:repeat="message here/getMessages" and a tal:replace="message" everything functions as expected. When i try tal:replace="message/ID" I get an Unauthorized Exception "You are not allowed to access 'a particular str' in this context" I can access all DateTime objects. Only the strings a not allowed. There is no difference when getMessages return of the Original list and when I build a new list with copies of the PersistentMapping objects. To get this working I have to create new Dictionary from the Persistent Mappings add them to an normal List and return this list. ret = [] for test in self.msglist : temptest = {} for (key,value) in test.items() : temptest[key] = value ret.append(temptest) return ret That's a real performance killer as the list is read quite frequently. Any Idea how to fix this. Gerhard -- - Gerhard Schmidt | E-Mail: [EMAIL PROTECTED] TU-München| WWW & Online Services | Tel: 089/289-25270| Fax: 089/289-25257| PGP-Publickey on request signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )