-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Aspeli wrote:
> Hi,
> 
> Ages ago, I started a thread (I think on this list) about the use of TAL 
> expression in Zope 3-style page templates (i.e. ViewPageTemplateFile's 
> used on views) incorrectly performing security checks when using TAL 
> expressions.
> 
> I think Tres fixed it at the time (I can't find the original mail), but 
> in Zope 2.12.2 there seems to have been a regression. I'd like to make 
> sure I've not missed something, though.
> 
> I see the problem in Plone 4.0a2 on Zope 2.12, trying to use 
> plone.app.registry. This package has a class that derives from 
> plone.registry.registry.Registry (a "ZTK-only" version) and SimpleItem 
> (to get Zope 2 security and ZMI visibility). Otherwise, it does nothing.
> 
> There is a view for this class registered like this:
> 
>      <browser:page
>          name="view"
>          for="plone.registry.interfaces.IRegistry"
>          template="records.pt"
>          permission="cmf.ManagePortal"
>          />
> 
> In records.pt, there is the following:
> 
>      <tr tal:repeat="record context/records/values">
>       ...
>      </tr>
> 
> This fails with the stack trace below. However, if I change it to use a 
> python: expression, it's all fine:
> 
>      <tr tal:repeat="record python:context.records.values()">
>       ...
>      </tr>
> 
> 
> 
> As you can see from the stack trace, the TAL expression has resulted in 
> the use of restrictedTraverse(). I think it should be using 
> unrestrictedTraverse(), since ViewPageTemplateFile's are filesystem code.
> 
> (In this particular case, it's failing the restrictedTraverse check 
> because 'records' is a property and so doesn't have an aq chain, but 
> nevermind that).
> 
> Stack trace:
> 
> 2009-12-13 00:40:13 ERROR Zope.SiteErrorLog 1260636013.580.4115611559 
> http://localhost:8080/test/portal_registry/@@view
> Traceback (innermost last):
>    Module ZPublisher.Publish, line 127, in publish
>    Module ZPublisher.mapply, line 77, in mapply
>    Module Products.PDBDebugMode.runcall, line 70, in pdb_runcall
>    Module ZPublisher.Publish, line 47, in call_object
>    Module Products.Five.browser.metaconfigure, line 427, in __call__
>    Module Products.Five.browser.pagetemplatefile, line 126, in __call__
>    Module Products.Five.browser.pagetemplatefile, line 60, in __call__
>    Module zope.pagetemplate.pagetemplate, line 115, in pt_render
>    Module zope.tal.talinterpreter, line 271, in __call__
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 888, in do_useMacro
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 533, in do_optTag_tal
>    Module zope.tal.talinterpreter, line 518, in do_optTag
>    Module zope.tal.talinterpreter, line 513, in no_tag
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 888, in do_useMacro
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 533, in do_optTag_tal
>    Module zope.tal.talinterpreter, line 518, in do_optTag
>    Module zope.tal.talinterpreter, line 513, in no_tag
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 946, in do_defineSlot
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 533, in do_optTag_tal
>    Module zope.tal.talinterpreter, line 518, in do_optTag
>    Module zope.tal.talinterpreter, line 513, in no_tag
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 954, in do_defineSlot
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 533, in do_optTag_tal
>    Module zope.tal.talinterpreter, line 518, in do_optTag
>    Module zope.tal.talinterpreter, line 513, in no_tag
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 946, in do_defineSlot
>    Module zope.tal.talinterpreter, line 343, in interpret
>    Module zope.tal.talinterpreter, line 819, in do_loop_tal
>    Module zope.tales.tales, line 682, in setRepeat
>    Module zope.tales.tales, line 696, in evaluate
>     - URL: 
> /Users/optilude/Development/Plone/Instances/Clients/Lotterywest/osc/src/plone.app.registry/plone/app/registry/browser/records.pt
>     - Line 33, Column 12
>     - Expression: <PathExpr standard:u'context/records/values'>
>     - Names:
>        {'args': (),
>         'container': <Registry at /test/portal_registry>,
>         'context': <Registry at /test/portal_registry>,
>         'default': <object object at 0x1002c7b50>,
>         'here': <Registry at /test/portal_registry>,
>         'loop': {},
>         'nothing': None,
>         'options': {},
>         'repeat': <Products.PageTemplates.Expressions.SafeMapping object 
> at 0x108e8b3b0>,
>         'request': <HTTPRequest, 
> URL=http://localhost:8080/test/portal_registry/@@view>,
>         'root': <Application at >,
>         'template': 
> <Products.Five.browser.pagetemplatefile.ViewPageTemplateFile object at 
> 0x10792b950>,
>         'traverse_subpath': [],
>         'user': <PropertiedUser 'admin'>,
>         'view': <Products.Five.metaclass.SimpleViewClass from 
> /Users/optilude/Development/Plone/Instances/Clients/Lotterywest/osc/src/plone.app.registry/plone/app/registry/browser/records.pt
>  
> object at 0x10885c810>,
>         'views': <Products.Five.browser.pagetemplatefile.ViewMapper 
> object at 0x108cbb0d0>}
>    Module zope.tales.expressions, line 217, in __call__
>    Module Products.PageTemplates.Expressions, line 127, in _eval
>    Module zope.tales.expressions, line 124, in _eval
>    Module Products.PageTemplates.Expressions, line 76, in 
> boboAwareZopeTraverse
>    Module OFS.Traversable, line 312, in restrictedTraverse
>    Module OFS.Traversable, line 247, in unrestrictedTraverse
>     - __traceback_info__: ([], 'records')
> Unauthorized: You are not allowed to access 'records' in this context
>  > 
> /Users/optilude/.buildout/eggs/Zope2-2.12.1-py2.6-macosx-10.6-i386.egg/OFS/Traversable.py(247)unrestrictedTraverse()

Doesn't smell like a regression to me:  the code there hasn't changed in
a good long while.  Can you write a test case for it, so that we can
test against earlier versions?


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkskVvMACgkQ+gerLs4ltQ5yCQCgtBGdNpp8FF2W0N12oAwUGuIN
QnEAni6zkD2mLHEGQ3UXKq6vLUBAOUS0
=V1cV
-----END PGP SIGNATURE-----

_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to