Re: [Zope-dev] skinscript and URL traversal question

2001-01-21 Thread Aaron Payne

Hi all,

A solution has been found.  woohoo.  A not found error was produced with 
direct URL traversal.

Steve Spicklemire sent this solution off list.

The process is split into two steps:

Do the query to 'load the object on traversal':
WITH QUERY searchBy_Name(name=self.id) COMPUTE name

Do the query to 'load the attributes needed for rendering a particular 
document':
WITH QUERY searchByNameCheck(self.id) COMPUTE 
username,coupon_text,categorylist,categoryheader,expirationdate,status,couponterms

During traversal AUTHENTICATED_USER is not yet defined, so it's no good trying
to get to it. However, once authentication has happened (after Zope has sorted
out what object you're after an imposed security on the object..) then it 
should
be OK. Since the Storage tab uses 'name' to load the object, we can't access
AUTHENTICATED_USER before loading 'name', but the other attributes are OK.

-Aaron



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] skinscript and URL traversal question

2001-01-19 Thread Aaron Payne

At 05:02 PM 1/18/01 -0500, Phillip J. Eby wrote:
At 08:54 AM 1/18/01 -0500, Aaron Payne wrote:
 Hi all,
 
 I originally posted this to the zope list and, upon suggestion, I am
 reposting it to zope-dev.
 
 I'm using a zsql method in a skinscript with query ... compute ... and it
 mostly works. Retrieving the dataskin with getItem() works.  For example,
 Cid is the id of the coupon dataskin.
 dtml-with "getItem(Cid)"
dtml-var couponattributes
 /dtml-with

This is probably a permissions issue.  During __bobo_traverse__, the user
has not yet been authenticated, and is effectively anonymous.

I was logged in as a manager.

Thus, your
SkinScript is running as anonymous, and probably doesn't have rights to
access the SQL method.
You might need to change the proxy roles setting on
the SkinScript method so that when the SkinScript runs it always has
appropriate roles to do what it needs to do.

I gave the skinscript trigger a proxy role of manager.  Actually, I gave 
all methods involved a proxy of manager. The same error was produced.


The reason it would work from in a DTML method, is that when a DTML method
runs, the user has already been authenticated, so the SkinScript runs with
the user's rights, and they have rights to call the SQL method.

If you run Zope in debug mode and do this, you should probably see some
console output about an error in computing the WITH-COMPUTE statement when
you try to run it via bobo_traverse.  It'll probably say the SQL method is
not found (because it doesn't have permissions to access it in that context).



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] skinscript and URL traversal question

2001-01-19 Thread Phillip J. Eby

At 09:41 AM 1/19/01 -0500, Aaron Payne wrote:
At 09:38 AM 1/19/01 -0500, Phillip J. Eby wrote:

 Thus, your
 SkinScript is running as anonymous, and probably doesn't have rights to
 access the SQL method.
 You might need to change the proxy roles setting on
 the SkinScript method so that when the SkinScript runs it always has
 appropriate roles to do what it needs to do.
 
 I gave the skinscript trigger a proxy role of manager.  Actually, I gave
 all methods involved a proxy of manager. The same error was produced.

What version of Zope are you using?


Zope version: Zope 2.2.1
Platform: freebsd4


Hmm.  You've got me, then.  Have you tried taking the Python Method out of
the mix and using the SQL method directly, like this:

WITH QUERY searchBy_Name(name=self.id)

Also, have you tried running Zope with logging ("STUPID_LOG_FILE") enabled?
 What gets added to the log when you try to access the object via
bobo_traverse?


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )