Gerhard Schmidt wrote at 2008-1-25 12:04 +0100: >Dieter Maurer schrieb: > ... >> I expect that the "message" object implements a "__bobo_traverse__" >> method (or gets one through "Five"). >> Zope is a bit stupid when "__bobo_traverse__" returns an object >> without security declarations -- such as e.g. a string. >> In this case, it insists that "getattr" must return the same object >> and raise "Unauthorized" otherwise. > >Time 2008/01/25 12:01:53.125 GMT+1 >User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) >Request URL http://devportal:6080/portal_communications/manage_messagequeue >Exception Type Unauthorized >Exception Value You are not allowed to access 'a particular str' in >this context > ... > - __traceback_info__: message > Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse > - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []} >Unauthorized: You are not allowed to access 'a particular str' in this >context
This may be compatible with my assumption. Check line 338 in "Products/PageTemplates/Expressions.py". When this line is in the block handling the "__bobo_traverse__", then you have confirmed my assumption. In this case, you must either get rid of the message's "__bobo_traverse__" or let it return an object with security declarations (such as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1" and "__roles__=None") or ensure that a "getattr" results in the same str or fix Zope. -- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )