[Zope] external method problems...

Dieter Maurer dieter@handshake.de
Fri, 27 Jun 2003 19:55:27 +0200

Jeffrey Hood wrote at 2003-6-26 17:32 -0400:
 > I have an external method (which makes a SOAP call) which when running the
 > test on, works and returns data as expected...  however, with the following
 > tal code:
 > ...
 >     <table border="1" tal:define="data python:here.getRecords()['item']">
 >     <tr tal:repeat="record data">  
 >         <td tal:content="python:record[0]">record item 1</td>
 > ...
 > I am getting a basic authentication box... which I don't want... and
 > additionally, no matter if I type in a valid superuser login and password,
 > the box just keeps coming up...

What type of object is "record"?
What type is "record[i]"?
Either one seems to be an instance without security declarations.

Convert the "record" into a dictionary (in your External Method) or
give "record[i]" the necessary security declarations (see
Zope Developer Guide, for details).

 >  I'm guessing that there is some kind of
 > permission problem, although I don't know why calling it via the url
 > anonymously (http://...../getRecords) returns the same as the test...  is
 > there something that I am missing in tal to call the external method that
 > requires setting some permissions ?

You may have encountered a security bug!

  ZPublisher (more precisely "BaseResponse") converts the result
  into a string (calling "str"). This is done from unrestricted
  code. It may reveal information which is not available from
  restricted code (as your TAL).

Please file a bug report.