Re: [Zope-dev] [Problem] Zope/Python2.x incompatibility
On Sun, 1 Jul 2001 16:15:40 +0200 (CEST), Dieter Maurer [EMAIL PROTECTED] wrote: I just met the following problem caused by a misfortunate name clash between Python2.x and Zope: The *real* problem here (IMO, and I know I am close to alone on this one ;-) is overstreaching dtml beyone what it is good for; that is trivial document templating. dtml-in is a particularly bad at polluting the dtml namespace (which is particularly serious because you have only got one of them) Toby Dickenson [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [Problem] Zope/Python2.x incompatibility
Toby Dickenson writes: On Sun, 1 Jul 2001 16:15:40 +0200 (CEST), Dieter Maurer [EMAIL PROTECTED] wrote: I just met the following problem caused by a misfortunate name clash between Python2.x and Zope: The *real* problem here (IMO, and I know I am close to alone on this one ;-) is overstreaching dtml beyone what it is good for; that is trivial document templating. My task was a trivial presentation task: displaying the properties of an object... dtml-in is a particularly bad at polluting the dtml namespace (which is particularly serious because you have only got one of them) It makes the presentation of database queries really easy Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] [Problem] Zope/Python2.x incompatibility
Dear Zopistas,
I just met the following problem caused by a misfortunate name
clash between Python2.x and Zope:
DTML-Document:
dtml-var standard_html_header
h2dtml-var title_or_id/h2
table cellpadding=5
dtml-in propertyIds
dtml-let p=sequence-item
trthdtml-p;/thtddtml-var _[p]/td/tr
/dtml-let
/dtml-in
dtml-var standard_html_footer
When this document is rendered, Shane's wonderful ZDebug tool reports:
Error type: Unauthorized
Error value: Access denied for built-in method title of string object at
0x8d45e50 because
its container, 'title', has no security assertions.
Innermost method: /Test/wt/Target
Namespace Stack (innermost entry at top)
ID Type
(N/A) mapping with keys: ['p']
? InstanceDict
? DocumentTemplate.DT_InSV.sequence_variables
(N/A) mapping with keys: ['propertyIds']
(N/A) mapping with keys: ['document_id', 'document_title']
TargetInstanceDict
TargetInstanceDict
REQUEST ZPublisher.HTTPRequest.HTTPRequest
problem in _[p].
What happens here?
dtml-in pushes the property id title (a string) onto the namespace
stack. It is the next-to top InstanceDict entry.
Starting with Python 2.0 (maybe 1.6), string objects have
methods, among them title.
When title is looked up in the namespace, the title of
the string object is found and not the one of the DTML Document.
This wrong title method gives an Unauthorized exception because
string objects do not participate in Zope's security mechanism.
Danger
Any string object on the namespace can prevent access to
the title property. Propably only dtml-in and
(if used wrongly) dtml-with are affected.
Thank you Shane for the wonderfull ZDebug.
Without it, it would have been much more difficult to analyse
this problem.
Dieter
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
