Dear Zopistas,
I just met the following problem caused by a misfortunate name
clash between Python2.x and Zope:
DTML-Document:
dtml-var standard_html_header
h2dtml-var title_or_id/h2
table cellpadding=5
dtml-in propertyIds
dtml-let p=sequence-item
trthdtml-p;/thtddtml-var _[p]/td/tr
/dtml-let
/dtml-in
dtml-var standard_html_footer
When this document is rendered, Shane's wonderful ZDebug tool reports:
Error type: Unauthorized
Error value: Access denied for built-in method title of string object at
0x8d45e50 because
its container, 'title', has no security assertions.
Innermost method: /Test/wt/Target
Namespace Stack (innermost entry at top)
ID Type
(N/A) mapping with keys: ['p']
? InstanceDict
? DocumentTemplate.DT_InSV.sequence_variables
(N/A) mapping with keys: ['propertyIds']
(N/A) mapping with keys: ['document_id', 'document_title']
TargetInstanceDict
TargetInstanceDict
REQUEST ZPublisher.HTTPRequest.HTTPRequest
problem in _[p].
What happens here?
dtml-in pushes the property id title (a string) onto the namespace
stack. It is the next-to top InstanceDict entry.
Starting with Python 2.0 (maybe 1.6), string objects have
methods, among them title.
When title is looked up in the namespace, the title of
the string object is found and not the one of the DTML Document.
This wrong title method gives an Unauthorized exception because
string objects do not participate in Zope's security mechanism.
Danger
Any string object on the namespace can prevent access to
the title property. Propably only dtml-in and
(if used wrongly) dtml-with are affected.
Thank you Shane for the wonderfull ZDebug.
Without it, it would have been much more difficult to analyse
this problem.
Dieter
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )