Dieter Maurer writes:
 > Jerome Alet writes:
 >  > Thanks to you, the syntax you gave me is accepted by the dtml parser, but
 >  > both
 >  > 
 >  > <dtml-in "ZopeFind(this(), obj_metatypes=['Folder'], 
 >  >           obj_expr='''not objectValues(['Folder'])''', 
 >  >           search_sub=1)">
 >  > 
 >  > and 
 >  > 
 >  > <dtml-in "ZopeFind(this(), obj_metatypes=['Folder'],  
 >  >           obj_expr='not objectValues([\'Folder\'])',
 >  >           search_sub=1)">
 >  > 
 >  > have given me an empty list.
 > I analysed this strange behavior in Zope 2.1.6
 > and have a partial explanation.
 >   Although the permission setting for "objectValues"
 >   is "Access contents information" which by default
 >   is granted to "Anonymous" and "Manager",
 >   only "Manager" is allowed to access "objectValues"
 >   in the context of the above "ZopeFind".
 >   I could not yet determine, why this is the case.
 >   But taken this fact for granted, the behavior
 >   becomes clear: the access to "objectValues" results
 >   in an "Unauthorized" exception. This
 >   is catched but prevents any object from being
 >   added to the result list.

By now, I know why we get this strange "objectValues__roles__"
result inside ZopeFind.

In "FindSupport:145", "ZopeFind" strips away the acquisition
context of an object.

        if hasattr(obj, 'aq_base'):

        if not hasattr(base, 'objectItems'):
            return result
        try:    items=base.objectItems()
        except: return result

This, too, removes the information needed for "acl_user" based authorization:

  In the traversal of the aquisition chain to determine the
  roles associated with "objectValues", the application object
  on top of the acquisition hierarchy is not longer reached.
  Therefore, "ApplicationDefaultPermissions" is not used
  and "PermissionRole" falls back to its own default

This acquisition context stripping is almost surely responsible
for other problems reported for ZopeFind, too.

The behaviour would disappear, if the line

        try:    items=base.objectItems()
is replaced by
        try:    items=obj.objectItems()

Note: "ZopeFindAndApply" would need the same patch.

I am not sure, however, whether this will have adverse effects
at other places.

I will put a reference to this report into the Collector.


Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to