[Zope] 2.4.0 and pythonmethod

Shane Hathaway shane@digicool.com
Thu, 26 Jul 2001 13:06:09 -0400 (EDT)


On Thu, 26 Jul 2001, Richard Barrett wrote:

> At 00:49 25/07/2001 -0400, Shane Hathaway wrote:
>
> snip ...
>
> > > ------
> > > 2001-07-24T10:11:33 PROBLEM(100) Init Ambiguous name for method of
> > > Products.Pyth
> > > onMethod.PythonMethod.PythonMethod: "manage" != "manage_main"
> >
> >The PythonMethod product, like many other products, tries to make the
> >management screens available to users depending on their permissions.
> >Unfortunately there was a problem with the way the management screens
> >were being set up and consequently in some cases only managers can
> >access the screens.  It's a case of overzealous security.  There's a way
> >to fix it but unless you're going to let non-managers create Python
> >Methods, it's nothing to worry about.
>
> I would appreciate it if you would outline how to fix this as I'm
> encountering the problem with other Zope product and want to get rid of
> spurious error messages.

Okay.  You have to explicitly declare the name of the methods.  Here is a
snippet of PythonScript.py:

    ZPythonScriptHTML_editForm = DTMLFile('www/pyScriptEdit', globals())
    manage = manage_main = ZPythonScriptHTML_editForm
    ZPythonScriptHTML_editForm._setName('ZPythonScriptHTML_editForm')

The third line was added just recently.  It explicitly declares to the
security machinery what the name of the DTMLMethod
"ZPythonScriptHTML_editForm" is.  A human can easily see that the name is
"ZPythonScriptHTML_editForm", but Zope can't tell whether it should be
"ZPythonScriptHTML_editForm", "manage", "manage_main", or even
"pyScriptEdit".

Python doesn't provide any easy way to figure out the correct name of a
DTMLMethod, but Zope tries to anyway.  The error message was added to
notify product authors that Zope had to take a guess!  So you'll want to
add a similar line to a product for each occurrance of the "ambiguous
name" warning.

This is a problem that has always existed in Zope products.  You just
didn't know about it until Zope 2.4.0.  It's really not a serious thing at
all, just something that *might* prevent access to a management screen
when access ought to be granted.

Shane