[Zope] Guarded __getitem__ with non-ascii unicode key

Peter Bengtsson peter at fry-it.com
Sun Apr 20 14:19:41 EDT 2008

Today I had to write this supporting method in my product to prevent a
rather strange Unauthorized error in my Page Template. My docstring
should explain what I understand::

    def unsafe_unicode_dict_getitem(self, dictionary, item):
        """ Return the value of this item in a dictionary object.

        Simply call the __getitem__ of this dictionary to pluck out an

        Why call this unsafe_...() ?
        If you try to do this in a guarded context (e.g. Script (Python)
        (or Page Template)) you'll get an Unauthorized error:

          d = {u'\xa3':1}
          d[u'\xa3'] # will raise an Unauthorized error

          # this works however
          d = {u'\xa3':1, u'asciiable':1}

        Why? I don't know. The place where it happens is the parental guardian
        function guarded_getitem() from ZopeGuards.py

        By instead calling the __getitem__ from here in unrestricted python
        we can bypass this.
        return dictionary[item]

Is my app unsafe now?
Why is it not possible to get to __getitem__ if the key is non-ascii?

Peter Bengtsson,
work www.fry-it.com
home www.peterbe.com
hobby www.issuetrackerproduct.com

More information about the Zope mailing list