[BlueBream] Strange effect with @@view calling

Christophe Combelles ccomb at free.fr
Wed Mar 31 09:05:37 EDT 2010


Dr. Volker Jaenisch a écrit :
> Hello BlueBream List!

hello!

> 
> I am new to Bluebream but I programmed in Python/Plone/Zope/
> for some years. Thank you a lot for bringing up Zope3 to live again!
> 
> Currently I got a strange effect calling a view in my bluebream project.
> 
> A) If I call it like this http://../engine/index
> it works without problems .
> 
> B) If I call it like this http://../engine/@@index
> I got a stacktrace which ends in a forbiddenAttribute error.

It looks like a traversing issue, a configuration issue or conflict.

Are you using an old version of z3c.layer? There was a misconfiguration related 
to traversing.


> 
> The view itself is trivial:
> 
> class BookingEngineDefaultView(BrowserView):
>     """Default view for a booking engine"""
> 
>     def update(self):
>         import pdb; pdb.set_trace()
> 
> Suppose the following Model
> zope-root -> engine -> Product
> where Product has an attribute "name".
> 
> The view just uses a pagetemplate that does:
> 
>      <li tal:repeat="products context/values">
>       <a tal:attributes="href products/@@absolute_url"
>          tal:content="python:products.name">Name</a>
> 
> In Case B) the following stacktrace results:
> 
> *Line 10, Column 6*
> *In expression: <PythonExpr (products.name)>*
> 
>    - Names:
>       {'args': (),
>        'context': <inqbus.booking.engine.app.BookingEngine object at 0xa43ca2c>,
>        'default': <object object at 0xb7547680>,
>        'loop': {},
>        'nothing': None,
>        'options': {},
>        'repeat': {},
>        'request': <zope.publisher.browser.BrowserRequest instance URL=http://127.0.0.1:8080/++skin++Booking/engine/@@index>,
>        'template': <z3c.ptcompat.ViewPageTemplateFile object at 0xa2bd96c>,
>        'view': <z3c.pagelet.zcml.BookingEngineDefaultView object at 0xa550d2c>,
>        'views': <zope.browserpage.viewpagetemplatefile.ViewMapper object at 0xa5c306c>}
> 
> 
> Module zope.tales.tales:*696* in |evaluate|         
> <http://127.0.0.1:8080/++skin++Booking/engine/@@index#>
> |<<  <http://127.0.0.1:8080/++skin++Booking/engine/@@index#>        
> __traceback_supplement__ = (
>                TALESTracebackSupplement, self, expression)
>             return expression(self)
>    
>         evaluateValue = evaluate||>>  
> <http://127.0.0.1:8080/++skin++Booking/engine/@@index#>*return* 
> expression*(*self*)*|
> 
> (products.name)
> 
> 
> Module zope.tales.pythonexpr:*59* in |__call__|         
> <http://127.0.0.1:8080/++skin++Booking/engine/@@index#>
> |<<  <http://127.0.0.1:8080/++skin++Booking/engine/@@index#>        
> __traceback_info__ = self.text
>             vars = self._bind_used_names(econtext, __builtins__)
>             return eval(self._code, vars)
>    
>         def __str__(self):||>>  
> <http://127.0.0.1:8080/++skin++Booking/engine/@@index#>*return* 
> eval*(*self*.*_code*,* vars*)*|
> Module ?:*1* in |<module>|         
> <http://127.0.0.1:8080/++skin++Booking/engine/@@index#>
> *ForbiddenAttribute: ('name', <inqbus.booking.classes.product.Product 
> object at 0xa35c5cc>)*
> 
> 
> I am wondering:
> * Why do the similiar URLs that lead to the same view (prooved by pdb)
> with the same principal (zope.Manager, prooved by pdb) lead to different 
> results.
> * How could it be, that a forbiddenAttribute error is raised if I work 
> as Zope.Manager that has
> a grantAll Permission.


it can happen if you're trying to get an attribute on an object, which is 
missing on the interface used for the <class> security declaration.


> 
> The effect is independed of the type of the view. I tried pagelet-Style 
> and BrowserView-Style with the some
> outcome.
> 
> My guess is, that the B) URL results in a more paranoid security 
> checking than the A) URL.
> But if this is the case, is this behavior the correct one?

With A), you let traversing decide if this is a view or an object. Check that 
you don't have a 'index' object in your container. The traversing will first try 
to get an 'index' object, then an 'index' view.

With B) you directly reach the view.

To be sure, you can put a breakpoint in the default traversing adapter, which 
should be somewhere in zope.traversing.(namespace?)

Christophe


> 
> Any hints welcome. In the appendix you find the relevant ZCML
> 
> Best Regards
> 
> Volker
> 
> 
> <!-- booking engine default view -->
>   <browser:defaultView
>      for="..interfaces.IBookingEngine"
>      name="index"
>     layer=".layer.IBookingBrowserLayer"
>      />
> 
> <!-- booking engine default view -->
>   <z3c:pagelet
>      for="..interfaces.IBookingEngine"
>      name="index"
>      permission="zope.ManageContent"
>      layer=".layer.IBookingBrowserLayer"
>      class=".views.BookingEngineDefaultView"
>      />
> 
> <!-- template for booking engine default view -->
> <z3c:template
>     template="frontpage.pt"
>     for=".views.BookingEngineDefaultView"
>     layer=".layer.IBookingBrowserLayer"
>     />
> 
> <!-- menu item for booking engine default view -->
> <browser:viewlet
>     name="View booking engine"
>     viewURL="@@index"
>     for="zope.app.component.interfaces.ISite"
>     manager=".skin.INavigationMenu"
>     class="z3c.menu.simple.menu.GlobalMenuItem"
>     layer=".layer.IBookingBrowserLayer"
>     permission="zope.ManageContent"
>     weight="1"
>     />
> 
> 



More information about the bluebream mailing list