[Zope] Zope 2.1.5 release and *security update*

Chris Allen chris_allen@aurema.com
Mon, 20 Mar 2000 20:02:17 +1100


Yeh, and now that ZSQLMethods don't work neither does GUF with MySQL - e.g.,
the following code fails:

  <dtml-in "sqlGetUserRoles(username=username)">
  <dtml-call "REQUEST.set('ret', ret + ' ' + _['sequence-item'].rolename)">
  </dtml-in>
  <dtml-return ret>

With the error message:

  "You are not authorised to access 'rolename'"

The method has a Proxy role with appropriate access to the MySQL method.  It
just doesn't seem able to access the results variable!?

Regards,
Chris

"Graham Chiu" <anon_emouse@hotmail.com> wrote in message
news:<Gl2o8NAvI$04EwL1@compkarori.com>...
> In article <613145F79272D211914B0020AFF6401914DE7D@gandalf.digicool.com>
> , Brian Lloyd <Brian@digicool.com> writes
> >  o It also came to our attention that the DTML code in
> >    ZSQLMethod objects was not subject to the same security
> >    constraints as the DTML code in DTMLMethods and DTML
> >    Documents.
>
> Hmm. This update has broken all my zsqlmethods I've tested so far.  I've
> reverting to 2.1.4.
>
> Eg when testing from the management interface:
>
> File D:\zope2\lib\python\Shared\DC\ZRDB\DA.py, line 459, in __call__
>     (Object: sqlShowComment)
> TypeError: too many arguments; expected 4, got 5
>
> SQLSESSION has also died with this version release.
>
>
> -------
> Regards,        Graham Chiu
> gchiu<at>compkarori.co.nz
> http://www.compkarori.com/dynamo - The Homebuilt Dynamo
> http://www.compkarori.com/dbase - The dBase bulletin
>