Stuart Bishop wrote:
Hash: SHA1

In Shared.DC.Scripts.Bindings._getContext(self), there seems to be a new security check: getSecurityManager().validate(parent, container, '', self)

This is now giving me the following traceback:

Traceback (innermost last):
Module ZPublisher.Publish, line 100, in publish
Module ZPublisher.mapply, line 88, in mapply
Module ZPublisher.Publish, line 40, in call_object
Module, line 911, in editPane
Module Shared.DC.Scripts.Bindings, line 261, in __call__
Module Shared.DC.Scripts.Bindings, line 292, in _bindAndExec
Module Products.PageTemplates.PageTemplateFile, line 106, in _exec
Module Products.PageTemplates.PageTemplate, line 90, in pt_render
- <PageTemplateFile at /CGPublisher/works/2/5/source/getaway/details/editPaneHelper>
Module Products.PageTemplates.PageTemplateFile, line 74, in pt_getContext
Module Shared.DC.Scripts.Bindings, line 224, in _getContext
Module AccessControl.ImplPython, line 398, in validate
Module AccessControl.ImplPython, line 263, in validate
Unauthorized: You are not allowed to access '' in this context

editPaneHelper is just a PageTemplateFile. Storage.editPane (Python - not Python Script) is calling it like: return self.editPaneHelper(**options)

Can anyone give me a hint on tracking this down? I have so far been unable to write a minimal example that fails (they all work), so I'm unsure if this is a Zope problem or my problem.

Zope 2.6.3 added a new security check for untrusted code, to ensure that the "bindings" created (in particular, 'context' and 'container') weren't set up if the user didn't have access to the bound objects.

You can either:

  - On the template's "Bindings" tab, unbind the 'context' name
   (assuming that your template does not use either 'context' or 'here')

- Give the template a proxy role of 'Manager'.

Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to