[Zope] Dieter Mauer's Reference Product
dieter at handshake.de
Tue Mar 16 12:42:00 EDT 2010
Brian Brinegar wrote at 2010-3-16 10:12 -0400:
>Our university relies heavily on a Zope product based on Dieter Maurer's
>"Reference" product. Recently, we upgraded from Zope 2.9.6 to Zope
>2.11.x and found some changes in behavior.
>In short the Reference product creates a Symlink like pointer in the
>Zope hierarchy. Dieter's product can be found on his site at:
>First, the security machinery now prevents access to attributes of
>References through page template path notation. For example, the
> * Module zope.tales.expressions, line 217, in __call__
> * Module Products.PageTemplates.Expressions, line 133, in _eval
> * Module zope.tales.expressions, line 124, in _eval
> * Module Products.PageTemplates.Expressions, line 82, in
> * Module OFS.Traversable, line 301, in restrictedTraverse
> * Module OFS.Traversable, line 232, in unrestrictedTraverse
> __traceback_info__: (, 'property_name')
>Unauthorized: You are not allowed to access 'property_name' in this context
This is a bug/weakness in Zope which affects the "traversal" methods
(used for TALES path expressions):
When a value is retrieved during traversal via
"__bobo_traverse__" which does not have its own
security declarations (impossible for a simple datatype),
then the traversal insists that it is the same object
(verified by object identity) than the object retrieved
via "getattr" ("guarded_getattr", to be precise).
This drastically restricts the access to simple values
via traversal if "__bobo_traverse__" is defined.
"Reference" grew a "__bobo_traverse__" method to work
around a (apparent) Five bug as delivered with Zope 2.9.
Maybe, the "__bobo_traverse__" method is not longer necessary
for Zope 2.11. Try to comment it out.
>Second, through path notation or URL traversal, References under the
>previous version of Zope would default to using methods / objects within
>the target before falling back to acquisition. Under Zope 2.11 acquired
>methods/objects take priority (only when traversed).
>For example, assuming there is an index_html in the root as well as in
>the target, and using the following code:
>Zope 2.11 yields the path to the acquired index_html:
>Zope 2.9.6 yields the path to the index_html in the target:
>Again, through python, both yield the second, desired output.
This sounds strange -- almost unbelievable.
I will look into it within the next few days and report back.
More information about the Zope