-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Aspeli wrote: > Hi, > > Ages ago, I started a thread (I think on this list) about the use of TAL > expression in Zope 3-style page templates (i.e. ViewPageTemplateFile's > used on views) incorrectly performing security checks when using TAL > expressions. > > I think Tres fixed it at the time (I can't find the original mail), but > in Zope 2.12.2 there seems to have been a regression. I'd like to make > sure I've not missed something, though. > > I see the problem in Plone 4.0a2 on Zope 2.12, trying to use > plone.app.registry. This package has a class that derives from > plone.registry.registry.Registry (a "ZTK-only" version) and SimpleItem > (to get Zope 2 security and ZMI visibility). Otherwise, it does nothing. > > There is a view for this class registered like this: > > <browser:page > name="view" > for="plone.registry.interfaces.IRegistry" > template="records.pt" > permission="cmf.ManagePortal" > /> > > In records.pt, there is the following: > > <tr tal:repeat="record context/records/values"> > ... > </tr> > > This fails with the stack trace below. However, if I change it to use a > python: expression, it's all fine: > > <tr tal:repeat="record python:context.records.values()"> > ... > </tr> > > > > As you can see from the stack trace, the TAL expression has resulted in > the use of restrictedTraverse(). I think it should be using > unrestrictedTraverse(), since ViewPageTemplateFile's are filesystem code. > > (In this particular case, it's failing the restrictedTraverse check > because 'records' is a property and so doesn't have an aq chain, but > nevermind that). > > Stack trace: > > 2009-12-13 00:40:13 ERROR Zope.SiteErrorLog 1260636013.580.4115611559 > http://localhost:8080/test/portal_registry/@@view > Traceback (innermost last): > Module ZPublisher.Publish, line 127, in publish > Module ZPublisher.mapply, line 77, in mapply > Module Products.PDBDebugMode.runcall, line 70, in pdb_runcall > Module ZPublisher.Publish, line 47, in call_object > Module Products.Five.browser.metaconfigure, line 427, in __call__ > Module Products.Five.browser.pagetemplatefile, line 126, in __call__ > Module Products.Five.browser.pagetemplatefile, line 60, in __call__ > Module zope.pagetemplate.pagetemplate, line 115, in pt_render > Module zope.tal.talinterpreter, line 271, in __call__ > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 888, in do_useMacro > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 533, in do_optTag_tal > Module zope.tal.talinterpreter, line 518, in do_optTag > Module zope.tal.talinterpreter, line 513, in no_tag > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 888, in do_useMacro > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 533, in do_optTag_tal > Module zope.tal.talinterpreter, line 518, in do_optTag > Module zope.tal.talinterpreter, line 513, in no_tag > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 946, in do_defineSlot > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 533, in do_optTag_tal > Module zope.tal.talinterpreter, line 518, in do_optTag > Module zope.tal.talinterpreter, line 513, in no_tag > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 954, in do_defineSlot > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 533, in do_optTag_tal > Module zope.tal.talinterpreter, line 518, in do_optTag > Module zope.tal.talinterpreter, line 513, in no_tag > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 946, in do_defineSlot > Module zope.tal.talinterpreter, line 343, in interpret > Module zope.tal.talinterpreter, line 819, in do_loop_tal > Module zope.tales.tales, line 682, in setRepeat > Module zope.tales.tales, line 696, in evaluate > - URL: > /Users/optilude/Development/Plone/Instances/Clients/Lotterywest/osc/src/plone.app.registry/plone/app/registry/browser/records.pt > - Line 33, Column 12 > - Expression: <PathExpr standard:u'context/records/values'> > - Names: > {'args': (), > 'container': <Registry at /test/portal_registry>, > 'context': <Registry at /test/portal_registry>, > 'default': <object object at 0x1002c7b50>, > 'here': <Registry at /test/portal_registry>, > 'loop': {}, > 'nothing': None, > 'options': {}, > 'repeat': <Products.PageTemplates.Expressions.SafeMapping object > at 0x108e8b3b0>, > 'request': <HTTPRequest, > URL=http://localhost:8080/test/portal_registry/@@view>, > 'root': <Application at >, > 'template': > <Products.Five.browser.pagetemplatefile.ViewPageTemplateFile object at > 0x10792b950>, > 'traverse_subpath': [], > 'user': <PropertiedUser 'admin'>, > 'view': <Products.Five.metaclass.SimpleViewClass from > /Users/optilude/Development/Plone/Instances/Clients/Lotterywest/osc/src/plone.app.registry/plone/app/registry/browser/records.pt > > object at 0x10885c810>, > 'views': <Products.Five.browser.pagetemplatefile.ViewMapper > object at 0x108cbb0d0>} > Module zope.tales.expressions, line 217, in __call__ > Module Products.PageTemplates.Expressions, line 127, in _eval > Module zope.tales.expressions, line 124, in _eval > Module Products.PageTemplates.Expressions, line 76, in > boboAwareZopeTraverse > Module OFS.Traversable, line 312, in restrictedTraverse > Module OFS.Traversable, line 247, in unrestrictedTraverse > - __traceback_info__: ([], 'records') > Unauthorized: You are not allowed to access 'records' in this context > > > /Users/optilude/.buildout/eggs/Zope2-2.12.1-py2.6-macosx-10.6-i386.egg/OFS/Traversable.py(247)unrestrictedTraverse()
Doesn't smell like a regression to me: the code there hasn't changed in a good long while. Can you write a test case for it, so that we can test against earlier versions? Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkskVvMACgkQ+gerLs4ltQ5yCQCgtBGdNpp8FF2W0N12oAwUGuIN QnEAni6zkD2mLHEGQ3UXKq6vLUBAOUS0 =V1cV -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )