[Zope] Still lost in security land

davidnwd at bellsouth.net davidnwd at bellsouth.net
Thu Jun 10 11:50:11 EDT 2004


Hi all:

I'm calling an External to access a SOAP service. OK, here's the External class:

import sys
import Globals
from os import path
from Acquisition import aq_base
from AccessControl import ClassSecurityInfo
from Acquisition import Implicit

import SOAPpy

class Result(Implicit):

  def __init__(self, results):
    self._results=results

  # Create a SecurityInfo for this class
  security = ClassSecurityInfo()
  security.declareObjectPublic()

  security.declarePublic('getResults')
  def getResults(self):
    return self._results

Globals.InitializeClass(Result)

def search(self,REQUEST):

    # edit this for the exact server
    url = 'http://localhost:8080/jboss-net/services/OISSoap?wsdl'
    proxy = SOAPpy.WSDL.Proxy(url)

    # Get values from the REQUEST
    gender = REQUEST.get('gender')
    race = REQUEST.get('race')
    age = REQUEST.get('age')
    ageRange = REQUEST.get('agerange')
    height = REQUEST.get('height')
    heightRange = REQUEST.get('heightrange')
    eyeColor = REQUEST.get('eyecolor')
    hairColor = REQUEST.get('haircolor')

    crimes = SOAPpy.arrayType(data = [REQUEST.get('crimes')])
    counties = SOAPpy.arrayType(data = [REQUEST.get('counties')])

    rowLimit = 20
    From = 'portal'

    # not used for now
    idNbr = ''
    idType = ''
    weight = ''
    weightRange = ''
    sentenceInfo = ''
    county = ''
    currentRow = 0

    cri = SOAPpy.structType( data = {"age":age, "ageRange":ageRange, "counties": counties,
                               "county": county, "crimes": crimes, "currentRow":currentRow,
                               "eyeColor": eyeColor, "from": From, "gender": gender, "hair":hairColor,
                               "height": height, "heightRange": heightRange, "idNbr": idNbr, "idType": idType,
                               "race":race, "rowLimit":rowLimit, "sentenceInfo":sentenceInfo,
                               "weight":weight, "weightRange":weightRange} )

    return Result(proxy.query(Criteria = cri)['results']).__of__(self)


Now, everything's cool, the class works from inside Zope (Plone), and I get my result object. Then I:

# get a list of people from search criteria

REQUEST=context.REQUEST

# process the search criteria
result = context.search(REQUEST)

# put in the session as a transient object
session=REQUEST.SESSION

session['results']=result.getResults()

# (Optional) set the default next action (this can be overridden
# in the script's actions tab in the ZMI).
state.setNextAction('redirect_to:string:search_results')

# Always make sure to return the ControllerState object
return state

This is what I get in search_results:
The container has no security assertions. Access to 'DOCNbr' of (SOAPpy.Types.structType multiRef at 52304152): {'status': 'INACTIVE', 'DOCNbr': 139999L, 'isDCC': 0, 'isDOP': 1, 'firstName': 'RANDALL', 'middleName': '', 'gender': 'MALE', 'age': 30L, 'hasDCC': 1, 'race': 'WHITE', 'lastName': 'SOMMERS'} denied. 

Following the ZDG, this is exactly what they show, yet the result array inside my object has its own assertions, and I CANT GET TO THEM!

Help!





More information about the Zope mailing list