Hi Steve,

Thanks for the reply. Of course as soon as I reported this, I went
away for a couple days and I haven't been able to check the list.

It appears that the problem is that the BTreeItems object returned by
getPersistentObjectIDs isn't currently allowed as an argument of 'in'
by itself since it's not in the 'containerAssertions' dictionary
defined in SimpleObjectPolicies.py and it doesn't have the magic
property: '__allow_access_to_unprotected_subobjects__'. If you *sort*
the BTreeItems object however, the dtml-in tag makes a copy of the
items in the BTreeItems object as a simple List, and sorts that rather
than destructively attempting to sort the original.  The simple list
is in containerAssertions, and is therefore allowed.

I was wrong about the 

<dtml-var "defaultRack.getPersistentItemIDs()">

it's only

<dtml-in "defaultRack.getPersistentItemIDs()">

that seems to cause the problem.

The odd thing is that the method 'getPersistentObjectIDs' is correctly
included in the definition of __ac_permissions__ in Rack.py, but as
you point out, it returns a BTreeItems object that doesn't want to
play nice with <dtml-in... >. Once possible solution would be to add
an '__allow_access_to_unprotected_subobjects__' property to the
BTreeItems object. I'm not sure who should do that..... maybe Rack.py?
For now.. I'll just sort the ids. ;-)


>>>>> "Steve" == Steve Alexander <[EMAIL PROTECTED]> writes:

    Steve> Steve Spicklemire wrote:
    >>  Hi ZPatterns folks...
    >> ZPatterns-0.4.1snap1 Zope2.2.0-src
    >> I have a specialist with a defaultRack storing DataSkin
    >> subclassed ZClass instances with only persistent attribute
    >> providers.
    >> <dtml-var "defaultRack.getPersistentItemIDs()">

    Steve> When I call that, I get <BTreeItems object at 869a5d8>. To
    Steve> get that list of IDs, I use an external method:

    Steve> def get_persistent_ids(self): try: items =
    Steve> self.defaultRack.aq_base.getPersistentItemIDs() return
    Steve> map(lambda x: x, items)
    Steve>     except: import sys, traceback, string etype, val, tb =
    Steve> sys.exc_info()
    Steve> sys.stderr.write(string.join(traceback.format_exception(etype,
    Steve> val, tb),'')) del etype, val, tb

    Steve> I've tried something like your code, with no sheetproviders
    Steve> in the rack.  I can't reproduce your error. I'm using the
    Steve> method as a Manager.
    >> or
    >> <dtml-in "defaultRack.getPersistentItemIDs()"> ...  </dtml-in>
    >> raise AuthorizationFailed
    >> <dtml-in "defaultRack.getPersistentItemIDs()" sort> ...
    >> </dtml-in>
    >> works fine. What did I do now? ;-)

    Steve> Line 318, Rack.py. The method getPersistentItemIDs has no
    Steve> docstring. Is that still significant under the new security
    Steve> model?

    Steve> Does the user you're running the method as have the
    Steve> permission "Access contents information" ?

    Steve> Looks like you may have uncovered a Zope security bug in
    Steve> <dtml-in ...
    sort> :-/

    Steve> How could we test this further?

    Steve> -- Steve Alexander Software Engineer Cat-Box limited
    Steve> http://www.cat-box.net

    Steve> _______________________________________________ Zope-Dev
    Steve> maillist - [EMAIL PROTECTED]
    Steve> http://lists.zope.org/mailman/listinfo/zope-dev ** No cross
    Steve> posts or HTML encoding!  ** (Related lists -
    Steve> http://lists.zope.org/mailman/listinfo/zope-announce
    Steve> http://lists.zope.org/mailman/listinfo/zope )

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to