[Zope] Page Templates: AttributeError versus Unauthorized

J M Cerqueira Esteves jmce@artenumerica.com
13 Oct 2002 06:16:47 +0100 

--=-RMgzrU46KF1zMPws2TMz
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Greetings

Why does it happen, for some expressions in Page Templates, that when
trying to use an object with restrictive permissions one just gets an
AttributeError instead of the apparently expected Unauthorized error
(which would induce the expected username/password request)?

I am using Zope 2.6.0b1 (Linux, Python 2.1.3) and observed the
following also after replacing its Page Templates product with the
latest cvs.zope.org version
(Zope27/lib/python/Products/PageTemplates).  Note that line numbers in
the traceback below refer to these PageTemplate files and not to those
of 2.6.0b1.


An example: I have a standard_page_template of the form

  <metal:block define-macro=3D"page">
  <!DOCTYPE ... >
  <html ...> <head> ... </head> <body ...>

   [page header stuff...]
   <a tal:attributes=3D"href ..."
      tal:content=3D"structure python:here.logo_l.tag( ... )">
   [... more page header stuff]

  <metal:block define-slot=3D"body"> </metal:block>

  </body> </html>
  </metal:block>


One of my tests involved restricting the "View" permission of the
`logo_l' image (used above) to the Manager role and to another
(user-defined) role. Then:


CASE 1: when accessing a Page Template (PT) document like=20

  <metal:block use-macro=3D"here/standard_page_template/macros/page">
  <metal:block fill-slot=3D"body">
   [... page contents ...]
  </metal:block>
  </metal:block>

the browser requests a username/password pair, as expected.
And if I fail to provide those, I get (also as expected) the following
error:

   Error Type: Unauthorized
   Error Value: You are not allowed to access logo_l in this context


CASE 2 (indirect standard_page_template usage):=20
when accessing the PT document

  <tal:block
    replace=3D"structure python:container.forum.arts( ... )">
  </tal:block>

where  forum/arts  is a Python Script ending with

  return arts_front_page ( ... )

and arts_front_page has the *same structure* as the document in Case 1
(i.e., finally invoking standard_page_template), I get

   Error Type: AttributeError
   Error Value: logo_l

without any username/password request.


Here is the traceback for Case 2 (the example PT being `index_html'),
abbreviated in a few places:

    * Module ZPublisher.Publish, line 98, in publish
    * Module ZPublisher.mapply, line 88, in mapply
    * Module ZPublisher.Publish, line 39, in call_object
    * Module Shared.DC.Scripts.Bindings, line 252, in __call__
    * Module Shared.DC.Scripts.Bindings, line 283, in _bindAndExec
    * Module Products.PageTemplates.ZopePageTemplate, line 228, in _exec
    * Module Products.PageTemplates.PageTemplate, line 95, in pt_render
      <ZopePageTemplate at /zzzzzz/index_html>
    * Module TAL.TALInterpreter, line 186, in __call__
    * Module TAL.TALInterpreter, line 230, in interpret
    * Module TAL.TALInterpreter, line 578, in do_insertStructure_tal
    * Module Products.PageTemplates.TALES, line 217, in evaluate
      URL: /zzzzzz/index_html
      Line 1, Column 0
      Expression: <PythonExpr container.forum.arts( ... )>
      Names:

{'container': <Folder instance at 8b8f140>,
 'default': <Products.PageTemplates.TALES.Default instance at
0x8772524>,
 'here': <Folder instance at 8b8f140>,
 'loop': <SafeMapping instance at 8ca87d8>,
 'modules': <Products.PageTemplates.ZRPythonExpr._SecureModuleImporter
instance at 0x876abec>,
 'nothing': None,
 'options': {'args': ()},
 'repeat': <SafeMapping instance at 8ca87d8>,
 'request': <HTTPRequest, URL=3Dhttp://zzzzzz.org/index_html>,
 'root': <Application instance at 859ad10>,
 'template': <ZopePageTemplate at /zzzzzz/index_html>,
 'traverse_subpath': [],
 'user': Anonymous User}

    * Module Products.PageTemplates.ZRPythonExpr, line 48, in __call__
      __traceback_info__: container.forum.arts( ... )
    * Module Python expression "container.forum.arts( ... )", line 2, in
f
    * Module Shared.DC.Scripts.Bindings, line 252, in __call__
    * Module Shared.DC.Scripts.Bindings, line 283, in _bindAndExec
    * Module Products.PythonScripts.PythonScript, line 315, in _exec
    * Module Script (Python), line 95, in arts
      <PythonScript at /zzzzzz/forum/arts>
      Line 95
    * Module Shared.DC.Scripts.Bindings, line 252, in __call__
    * Module Shared.DC.Scripts.Bindings, line 283, in _bindAndExec
    * Module Products.PageTemplates.ZopePageTemplate, line 228, in _exec
    * Module Products.PageTemplates.PageTemplate, line 95, in pt_render
      <ZopePageTemplate at /zzzzzz/forum/arts_front_page>
    * Module TAL.TALInterpreter, line 186, in __call__
    * Module TAL.TALInterpreter, line 230, in interpret
    * Module TAL.TALInterpreter, line 689, in do_useMacro
    * Module TAL.TALInterpreter, line 230, in interpret
    * Module TAL.TALInterpreter, line 400, in do_optTag_tal
    * Module TAL.TALInterpreter, line 385, in do_optTag
    * Module TAL.TALInterpreter, line 380, in no_tag
    * Module TAL.TALInterpreter, line 230, in interpret
    * Module TAL.TALInterpreter, line 720, in do_defineSlot
    * Module TAL.TALInterpreter, line 230, in interpret
    * Module TAL.TALInterpreter, line 400, in do_optTag_tal
    * Module TAL.TALInterpreter, line 385, in do_optTag
    * Module TAL.TALInterpreter, line 380, in no_tag
    * Module TAL.TALInterpreter, line 230, in interpret
    * Module TAL.TALInterpreter, line 578, in do_insertStructure_tal
    * Module Products.PageTemplates.TALES, line 217, in evaluate
      URL: /zzzzzz/standard_page_template
      Line 37, Column 0
      Expression: <PythonExpr here.logo_l.tag( ... )>
      Names:

{'container': <Folder instance at 8beac30>,
 'default': <Products.PageTemplates.TALES.Default instance at
0x8772524>,
 'here': <Folder instance at 8beac30>,
 'loop': <SafeMapping instance at 8a446f8>,
 'modules': <Products.PageTemplates.ZRPythonExpr._SecureModuleImporter
instance at 0x876abec>,
 'nothing': None,
 'options': {'args': (), ... },
 'repeat': <SafeMapping instance at 8a446f8>,
 'request': <HTTPRequest, URL=3Dhttp://zzzzzz.org/index_html>,
 'root': <Application instance at 859ad10>,
 'template': <ZopePageTemplate at /zzzzzz/forum/arts_front_page>,
 'traverse_subpath': [],
 'user': Anonymous User}

    * Module Products.PageTemplates.ZRPythonExpr, line 48, in __call__
      __traceback_info__: here.logo_l.tag( ... )
    * Module Python expression "here.logo_l.tag( ... )", line 2, in f

AttributeError: logo_l


Why?

Best regards
                  J Esteves


--=-RMgzrU46KF1zMPws2TMz
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9qQG/kgbjpeF+vgoRAllLAJ49GNSOpjRoB9J1eR5LXTIA0oy9MACcDcU9
NgP3baARtd6wqQBSv5MbQA4=
=QV2o
-----END PGP SIGNATURE-----

--=-RMgzrU46KF1zMPws2TMz--