Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
>Dieter Maurer schrieb:
> ...
>> I expect that the "message" object implements a "__bobo_traverse__"
>> method (or gets one through "Five").
>> Zope is a bit stupid when "__bobo_traverse__" returns an object
>> without security declarations -- such as e.g. a string.
>> In this case, it insists that "getattr" must return the same object
>> and raise "Unauthorized" otherwise.
>Time   2008/01/25 12:01:53.125 GMT+1
>User Name (User Id)    DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
>Request URL    http://devportal:6080/portal_communications/manage_messagequeue
>Exception Type         Unauthorized
>Exception Value        You are not allowed to access 'a particular str' in
>this context
> ...
>   - __traceback_info__: message
>  Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse
>   - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []}
>Unauthorized: You are not allowed to access 'a particular str' in this

This may be compatible with my assumption.

Check line 338 in "Products/PageTemplates/".
When this line is in the block handling the "__bobo_traverse__",
then you have confirmed my assumption.

In this case, you must either get rid of the message's "__bobo_traverse__"
or let it return an object with security declarations (such
as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1"
and "__roles__=None") or ensure that a "getattr" results in the same
str or fix Zope.

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to