subject:"\[Zope\-dev\] _.min and _.max still used by ZMI"

Re: [Zope-dev] _.min and _.max still used by ZMI

2004-01-13 Thread Roger Espinosa

On Tuesday, January 13, 2004, at 11:21  PM, Travis Miller wrote:

hi Dirk,

i just (configure/make/make install)ed Zope-2.7.0-b4 and i immediately 
ran into the .min/.max/... security changes when i tried to rename an 
object through the ZMI.
I got around the min/max by adding them to the list on 
RestrictedPython/Guards.py.

But b4 seemed to make any script trying to pass a zero-value parameter 
raise unauthorized exceptions. Code like

	ob.edit( is_exemplar=0 )

non longer worked. Traceback from another attempt attached below, when 
"notify_instantly" was set to 0. (Passing an integer 1 *would* work.)

Roger

Traceback (most recent call last):
  File "/usr/local/zope/App/lib/python/ZPublisher/Publish.py", line 
100, in publ
ish
request, bind=1)
  File "/usr/local/zope/App/lib/python/ZPublisher/mapply.py", line 88, 
in mapply
if debug is not None: return debug(object,args,context)
  File "/usr/local/zope/App/lib/python/ZPublisher/Publish.py", line 40, 
in call_
object
result=apply(object,args) # Type s to step into published 
object.
  File 
"/usr/local/zope/App/lib/python/Products/CMFCore/FSPythonScript.py", 
line
 92, in __call__
return Script.__call__(self, *args, **kw)
  File "/usr/local/zope/App/lib/python/Shared/DC/Scripts/Bindings.py", 
line 261,
 in __call__
return self._bindAndExec(args, kw, None)
  File "/usr/local/zope/App/lib/python/Shared/DC/Scripts/Bindings.py", 
line 292,
 in _bindAndExec
return self._exec(bound_data, args, kw)
  File 
"/usr/local/zope/App/lib/python/Products/CMFCore/FSPythonScript.py", 
line
 126, in _exec
result = apply(f, args, kw)
  File "Script (Python)", line 55, in post_feedback
  File "/usr/local/zope/App/lib/python/AccessControl/ZopeGuards.py", 
line 349, i
n guarded_apply
return builtin_guarded_apply(func, args, kws)
  File "/usr/local/zope/App/lib/python/AccessControl/ZopeGuards.py", 
line 371, i
n builtin_guarded_apply
return func(*arglist, **argdict)
  File 
"/usr/local/zope/App/lib/python/Products/CMFCore/PortalFolder.py", line 
3
62, in invokeFactory
, kw
  File "/usr/local/zope/App/lib/python/Products/CMFCore/TypesTool.py", 
line 824,
 in constructContent
ob = apply(info.constructInstance, (container, id) + args, kw)
  File "/usr/local/zope/App/lib/python/Products/CMFCore/TypesTool.py", 
line 513,
 in constructInstance
id = apply( m, args, kw ) or id  # allow factory to munge ID
  File "/usr/local/zope/M2K3/Products/Mousetrap/FeedbackPost.py", line 
84, in ad
dFeedbackPost
o.setupFeedbackType(defaults=kw)
  File "/usr/local/zope/M2K3/Products/Mousetrap/FeedbackPost.py", line 
124, in s
etupFeedbackType
method(defaults=defaults)
  File 
"/usr/local/zope/App/lib/python/Products/CMFCore/FSPythonScript.py", 
line
 92, in __call__
return Script.__call__(self, *args, **kw)
  File "/usr/local/zope/App/lib/python/Shared/DC/Scripts/Bindings.py", 
line 261,
 in __call__
return self._bindAndExec(args, kw, None)
  File "/usr/local/zope/App/lib/python/Shared/DC/Scripts/Bindings.py", 
line 292,
 in _bindAndExec
return self._exec(bound_data, args, kw)
  File 
"/usr/local/zope/App/lib/python/Products/CMFCore/FSPythonScript.py", 
line
 126, in _exec
result = apply(f, args, kw)
  File "Script (Python)", line 5, in apply_CommentSchema
  File "/usr/local/zope/App/lib/python/AccessControl/ZopeGuards.py", 
line 349, i
n guarded_apply
return builtin_guarded_apply(func, args, kws)
  File "/usr/local/zope/App/lib/python/AccessControl/ZopeGuards.py", 
line 369, i
n builtin_guarded_apply
guard(kws, v, k)
  File "/usr/local/zope/App/lib/python/AccessControl/ZopeGuards.py", 
line 219, i
n guard
if getSecurityManager().validate(container, container, index, 
value):
  File "/usr/local/zope/App/lib/python/AccessControl/ImplPython.py", 
line 263, i
n validate
raise Unauthorized(name, value)
Unauthorized: You are not allowed to access 'notify_instantly' in this 
context

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] _.min and _.max still used by ZMI

2004-01-13 Thread Travis Miller

hi Dirk,

i just (configure/make/make install)ed Zope-2.7.0-b4 and i immediately 
ran into the .min/.max/... security changes when i tried to rename an 
object through the ZMI.

i tried your patch but after the change, zopectl errors when run:

[EMAIL PROTECTED]:~> ./InstanceHome27b4/bin/zopectl start
Error: The object named by "DBTab.ClassFactories.autoClassFactory" 
could not be imported
(line 822 in file:///opt/Zope/InstanceHome27b4-2/etc/zope.conf)
For help, use 
/opt/Zope/SoftwareHome27b4/lib/python/Zope/Startup/zopectl.py -h

when i rollback the patch zopectl runs again, but ofcourse the max call 
still fails.

any ideas?

thanks,
travis
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] _.min and _.max still used by ZMI

2004-01-11 Thread Johan Carlsson

Dirk wrote:
Hi Johan,

maybe the patch can fix your problem.
Thanks!



--
Johan Carlsson  Tel: + 46 8 31 24 94
Colliberty  Mob: + 46 70 558 25 24
Torsgatan 72Email: [EMAIL PROTECTED]
SE-113 37 STOCKHOLM Skype: colliberty


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] _.min and _.max still used by ZMI

2004-01-10 Thread Dirk

Hi Johan,

maybe the patch can fix your problem.

Regards,
Dirk--- DT_Util.py.orig Sat Jan 10 22:58:45 2004
+++ DT_Util.py  Sat Jan 10 22:56:43 2004
@@ -58,6 +58,11 @@
 else:
 d[name] = f
 
+from AccessControl.ZopeGuards import guarded_min, guarded_max
+
+d['min'] = NotBindable(guarded_min)
+d['max'] = NotBindable(guarded_max)
+
 if LIMITED_BUILTINS:
 # Replace certain builtins with limited versions.
 from RestrictedPython.Limits import limited_builtins
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] _.min and _.max still used by ZMI

2004-01-10 Thread Johan Carlsson

Since the new security release for Zope 2.6.3 (and 2.7) the _.min and 
_.max doesn't work any more.
But they are still used by the ZMI in the following places:

OFS\dtml\properties.dtml(140): size="">
OFS\dtml\properties.dtml(152): size="">
OFS\dtml\propertyType.dtml(93): size="">
OFS\dtml\renameForm.dtml(27): "_.max(40,_.len(getId())+4)">" 
value="&dtml-id;" />

This breaks at least "multiple selection" properties.

Are there a work around for DTML files using these features?

Best Regards,
Johan Carlsson
--
Johan Carlsson  Tel: + 46 8 31 24 94
Colliberty  Mob: + 46 70 558 25 24
Torsgatan 72Email: [EMAIL PROTECTED]
SE-113 37 STOCKHOLM Skype: colliberty


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] _.min and _.max still used by ZMI

[Zope-dev] _.min and _.max still used by ZMI

Re: [Zope-dev] _.min and _.max still used by ZMI

Re: [Zope-dev] _.min and _.max still used by ZMI

[Zope-dev] _.min and _.max still used by ZMI

5 matches

Site Navigation

Mail list logo

Footer information