subject:"Re\: \[Zope\] You are not allowed to access 'a particular str' in this context"

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-26 Thread Garito

Hi!
I don't understand quite well this explanation but it interest me a lot (as
you can read if you search for my all questions about __bobo_traverse__)
do it need I put the __allow_access_to_unprotected_subobjects__=1 in the
__bobo_traverse__ or in other place?

I my last try to solve this issue in my case I try the __roles__ = None but
this was an uncomplete solution

Please can you complete my information?

Thanks!

2008/1/25, Dieter Maurer [EMAIL PROTECTED]:

 Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
 Dieter Maurer schrieb:
  ...
  I expect that the message object implements a __bobo_traverse__
  method (or gets one through Five).
  Zope is a bit stupid when __bobo_traverse__ returns an object
  without security declarations -- such as e.g. a string.
  In this case, it insists that getattr must return the same object
  and raise Unauthorized otherwise.
 
 Time   2008/01/25 12:01:53.125 GMT+1
 User Name (User Id)DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
 Request URL
 http://devportal:6080/portal_communications/manage_messagequeue
 Exception Type Unauthorized
 Exception ValueYou are not allowed to access 'a particular str'
 in
 this context
  ...
- __traceback_info__: message
   Module Products.PageTemplates.Expressions, line 338, in
 restrictedTraverse
- __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack':
 []}
 Unauthorized: You are not allowed to access 'a particular str' in this
 context

 This may be compatible with my assumption.

 Check line 338 in Products/PageTemplates/Expressions.py.
 When this line is in the block handling the __bobo_traverse__,
 then you have confirmed my assumption.


 In this case, you must either get rid of the message's __bobo_traverse__
 or let it return an object with security declarations (such
 as an str wrapper with an __allow_access_to_unprotected_subobjects__=1
 and __roles__=None) or ensure that a getattr results in the same
 str or fix Zope.


 --
 Dieter
 ___
 Zope maillist  -  Zope@zope.org
 http://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )




-- 
Mis Cosas
http://blogs.sistes.net/Garito
Zope Smart Manager
http://blogs.sistes.net/Garito/670
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-26 Thread Dieter Maurer

Garito wrote at 2008-1-26 13:37 +0100:
I don't understand quite well this explanation but it interest me a lot (as
you can read if you search for my all questions about __bobo_traverse__)
do it need I put the __allow_access_to_unprotected_subobjects__=1 in the
__bobo_traverse__ or in other place?

The Zope weakness becomes obvious when __bobo_traverse__
returns an object without security declarations.

To work around this weakness you have to ensure that
__bobo_traverse__ returns an object
with security declarations (in fact, it need to be public).
This means, you must set the security declarations on the
object returned by __bobo_traverse__.

 ...
2008/1/25, Dieter Maurer [EMAIL PROTECTED]:

 Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
 Dieter Maurer schrieb:
  ...
  I expect that the message object implements a __bobo_traverse__
  method (or gets one through Five).
  Zope is a bit stupid when __bobo_traverse__ returns an object
  without security declarations -- such as e.g. a string.
  In this case, it insists that getattr must return the same object
  and raise Unauthorized otherwise.
 
 Time   2008/01/25 12:01:53.125 GMT+1
 User Name (User Id)DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
 Request URL
 http://devportal:6080/portal_communications/manage_messagequeue
 Exception Type Unauthorized
 Exception ValueYou are not allowed to access 'a particular str'
 in
 this context
  ...
- __traceback_info__: message
   Module Products.PageTemplates.Expressions, line 338, in
 restrictedTraverse
- __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack':
 []}
 Unauthorized: You are not allowed to access 'a particular str' in this
 context

 This may be compatible with my assumption.

 Check line 338 in Products/PageTemplates/Expressions.py.
 When this line is in the block handling the __bobo_traverse__,
 then you have confirmed my assumption.


 In this case, you must either get rid of the message's __bobo_traverse__
 or let it return an object with security declarations (such
 as an str wrapper with an __allow_access_to_unprotected_subobjects__=1
 and __roles__=None) or ensure that a getattr results in the same
 str or fix Zope.



-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-25 Thread Gerhard Schmidt

Martijn Jacobs schrieb:
 Does this problem only occure with message/ID ? Or also with
 message/Message or message/SenderId ?

The problem is on all Strings. DateTime Objects working.

 Which version of zope are you using?

Zope 2.9.7-final, python 2.4.4, freebsd7

Gerhard
-- 
-
Gerhard Schmidt   | E-Mail: [EMAIL PROTECTED]
TU-München|
WWW  Online Services |
Tel: 089/289-25270|
Fax: 089/289-25257| PGP-Publickey on Request

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-25 Thread Gerhard Schmidt

Dieter Maurer schrieb:
 Gerhard Schmidt wrote at 2008-1-24 16:56 +0100:
 I have a rather strange Problem.

 I have a PersistentList containing PersistentMapping objects.

 [{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24
 16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 
 'Date':
 DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission
 test', 'ID': '[EMAIL PROTECTED]'}]

 When do a tal:repeat=message here/getMessages and a tal:replace=message
 everything functions as expected. When i try tal:replace=message/ID I get 
 an
 Unauthorized Exception You are not allowed to access 'a particular str' in
 this context
 
 Reconfigure your error_log object to not ignore Unauthorized exceptions,
 reproduce the error and then look at the corresponding traceback.
 
 I expect that the message object implements a __bobo_traverse__
 method (or gets one through Five).
 Zope is a bit stupid when __bobo_traverse__ returns an object
 without security declarations -- such as e.g. a string.
 In this case, it insists that getattr must return the same object
 and raise Unauthorized otherwise.

Time2008/01/25 12:01:53.125 GMT+1
User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
Request URL http://devportal:6080/portal_communications/manage_messagequeue
Exception Type  Unauthorized
Exception Value You are not allowed to access 'a particular str' in
this context

Traceback (innermost last):
  Module ZPublisher.Publish, line 115, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 41, in call_object
  Module Shared.DC.Scripts.Bindings, line 311, in __call__
  Module Shared.DC.Scripts.Bindings, line 348, in _bindAndExec
  Module Products.PageTemplates.PageTemplateFile, line 113, in _exec
  Module Products.PageTemplates.PageTemplate, line 104, in pt_render
   - PageTemplateFile at
/TUM_Portal/portal_communications/manage_messagequeue
  Module TAL.TALInterpreter, line 238, in __call__
  Module TAL.TALInterpreter, line 281, in interpret
  Module TAL.TALInterpreter, line 715, in do_condition
  Module TAL.TALInterpreter, line 281, in interpret
  Module TAL.TALInterpreter, line 691, in do_loop_tal
  Module TAL.TALInterpreter, line 281, in interpret
  Module TAL.TALInterpreter, line 455, in do_optTag_tal
  Module TAL.TALInterpreter, line 437, in no_tag
  Module TAL.TALInterpreter, line 281, in interpret
  Module TAL.TALInterpreter, line 531, in do_insertText_tal
  Module Products.PageTemplates.TALES, line 227, in evaluateText
  Module Products.PageTemplates.TALES, line 221, in evaluate
   - URL: manage_messagequeue
   - Line 17, Column 9
   - Expression: standard:'message/ID'
   - Names:
  {'container': TUMCommunications at
/TUM_Portal/portal_communications,
   'context': TUMCommunications at /TUM_Portal/portal_communications,
   'default': Products.PageTemplates.TALES.Default instance at
0x807299dd0,
   'here': TUMCommunications at /TUM_Portal/portal_communications,
   'loop': Products.PageTemplates.TALES.SafeMapping object at
0x8129168c0,
   'modules':
Products.PageTemplates.ZRPythonExpr._SecureModuleImporter instance at
0x80729a248,
   'nothing': None,
   'options': {'args': ()},
   'repeat': Products.PageTemplates.TALES.SafeMapping object at
0x8129168c0,
   'request': HTTPRequest,
URL=http://devportal:6080/portal_communications/manage_messagequeue,
   'root': Application at ,
   'template': PageTemplateFile at
/TUM_Portal/portal_communications/manage_messagequeue,
   'traverse_subpath': [],
   'user': LDAPUser 'DC83D1F1DB88CDE8'}
  Module Products.PageTemplates.Expressions, line 185, in __call__
  Module Products.PageTemplates.Expressions, line 173, in _eval
  Module Products.PageTemplates.Expressions, line 127, in _eval
   - __traceback_info__: message
  Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse
   - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []}
Unauthorized: You are not allowed to access 'a particular str' in this
context

Regards
 Gerhard

-- 
-
Gerhard Schmidt   | E-Mail: [EMAIL PROTECTED]
TU-München|
WWW  Online Services |
Tel: 089/289-25270|
Fax: 089/289-25257| PGP-Publickey auf Anfrage

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-25 Thread Dieter Maurer

Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
Dieter Maurer schrieb:
 ...
 I expect that the message object implements a __bobo_traverse__
 method (or gets one through Five).
 Zope is a bit stupid when __bobo_traverse__ returns an object
 without security declarations -- such as e.g. a string.
 In this case, it insists that getattr must return the same object
 and raise Unauthorized otherwise.

Time   2008/01/25 12:01:53.125 GMT+1
User Name (User Id)DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
Request URLhttp://devportal:6080/portal_communications/manage_messagequeue
Exception Type Unauthorized
Exception ValueYou are not allowed to access 'a particular str' in
this context
 ...
   - __traceback_info__: message
  Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse
   - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []}
Unauthorized: You are not allowed to access 'a particular str' in this
context

This may be compatible with my assumption.

Check line 338 in Products/PageTemplates/Expressions.py.
When this line is in the block handling the __bobo_traverse__,
then you have confirmed my assumption.


In this case, you must either get rid of the message's __bobo_traverse__
or let it return an object with security declarations (such
as an str wrapper with an __allow_access_to_unprotected_subobjects__=1
and __roles__=None) or ensure that a getattr results in the same
str or fix Zope.


-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-24 Thread Martijn Jacobs

Does this problem only occure with message/ID ? Or also with 
message/Message or message/SenderId ?


Which version of zope are you using?


Kind regards,


Martijn.

Hi all,

I have a rather strange Problem.

I have a PersistentList containing PersistentMapping objects.

[{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24
16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date':
DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission
test', 'ID': '[EMAIL PROTECTED]'}]

When do a tal:repeat=message here/getMessages and a tal:replace=message
everything functions as expected. When i try tal:replace=message/ID I get an
 Unauthorized Exception You are not allowed to access 'a particular str' in
this context

I can access all DateTime objects. Only the strings a not allowed.

There is no difference when getMessages return of the Original list and when I
 build a new list with copies of the PersistentMapping objects.

To get this working I have to create new Dictionary from the Persistent
Mappings add them to an normal List and return this list.

ret = []

for test in self.msglist :
temptest = {}
for (key,value) in test.items() :
temptest[key] = value
ret.append(temptest)
return ret

That's a real performance killer as the list is read quite frequently.

Any Idea how to fix this.


Gerhard
  



___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce

 http://mail.zope.org/mailman/listinfo/zope-dev )
  



--
Martijn Jacobs
Four Digits, Internet Solutions

a: Willemsplein 15-1 6811 KB Arnhem NL 
kvk: 09162137 | btw: 8161.22.234.B01

e-mail: [EMAIL PROTECTED] | web: http://www.fourdigits.nl
tel: +31 (0)26 44 22 700 | fax: +31 (0)84 22 06 117 

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

2008-01-24 Thread Dieter Maurer

Gerhard Schmidt wrote at 2008-1-24 16:56 +0100:
I have a rather strange Problem.

I have a PersistentList containing PersistentMapping objects.

[{'Status': 'Read', 'Confirm': False, 'Read': DateTime('2008/01/24
16:03:32.508 GMT+1'), 'Expires': None, 'SenderID': 'DC83D1F1DB88CDE8', 'Date':
DateTime('2008/01/24 15:51:50.998 GMT+1'), 'Message': 'Da ist ein permission
test', 'ID': '[EMAIL PROTECTED]'}]

When do a tal:repeat=message here/getMessages and a tal:replace=message
everything functions as expected. When i try tal:replace=message/ID I get an
 Unauthorized Exception You are not allowed to access 'a particular str' in
this context

Reconfigure your error_log object to not ignore Unauthorized exceptions,
reproduce the error and then look at the corresponding traceback.

I expect that the message object implements a __bobo_traverse__
method (or gets one through Five).
Zope is a bit stupid when __bobo_traverse__ returns an object
without security declarations -- such as e.g. a string.
In this case, it insists that getattr must return the same object
and raise Unauthorized otherwise.



-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

Re: [Zope] You are not allowed to access 'a particular str' in this context

7 matches

Site Navigation

Mail list logo

Footer information