[ZPT] CVS: Packages/Products/PageTemplates (Products/DC/PageTemplates) - Expressions.py:1.5

shane@digicool.com shane@digicool.com
Fri, 6 Apr 2001 10:26:57 -0400 (EDT)


Update of /cvs-repository/Packages/Products/PageTemplates
In directory korak:/tmp/cvs-serv31080

Modified Files:
	Expressions.py 
Log Message:
- Fixed mistake in restrictedTraverse() security.
- Made ZPT invoke DTML the normal way.



--- Updated File Expressions.py in package Packages/Products/PageTemplates --
--- Expressions.py	2001/03/27 15:10:09	1.4
+++ Expressions.py	2001/04/06 14:26:56	1.5
@@ -95,6 +95,7 @@
 from TALES import Engine, CompilerError, _valid_name, NAME_RE
 from string import strip, split, join, replace, lstrip
 from DocumentTemplate.DT_Util import TemplateDict
+from Acquisition import aq_base
 
 _engine = None
 def getEngine():
@@ -114,6 +115,24 @@
     reg('not', NotExpr)
     reg('import', ImportExpr)
 
+def render(ob):
+    """
+    Calls the object, possibly a document template, or just returns it if
+    not callable.  (From DT_Util.py)
+    """
+    base = aq_base(ob)
+    if callable(base):
+        try:
+            if getattr(base, 'isDocTemp', 0):
+                ob = ob(ob, ob.REQUEST)
+            else:
+                ob = ob()
+        except AttributeError, n:
+            if n != '__call__':
+                raise
+    return ob
+
+
 class PathExpr:
     def __init__(self, name, expr):
         self._s = expr
@@ -158,10 +177,7 @@
                 return 1
         if self._name == 'nocall':
             return ob
-        mm = TemplateDict()
-        mm._push(var)
-        mm._push({'_ob': ob})
-        return mm['_ob']
+        return render(ob)
 
     def __str__(self):
         return '%s expression "%s"' % (self._name, self._s)
@@ -310,6 +326,8 @@
 
     if not path: return self
 
+    __traceback_info__ = path
+
     get=getattr
     N=None
     M=[] #marker
@@ -335,7 +353,7 @@
             raise 'NotFound', name
 
         if name=='..':
-            o=getattr(object, 'aq_parent', M)
+            o = getattr(object, 'aq_parent', M)
             if o is not M:
                 if not securityManager.validate(object, object, name, o):
                     raise 'Unauthorized', name
@@ -354,19 +372,13 @@
         else:
             o=get(object, name, M)
             if o is not M:
-                # waaaa
-                if hasattr(get(object,'aq_base',object), name):
-                    # value wasn't acquired
-                    if not securityManager.validate(
-                        object, object, name, o):
-                        raise 'Unauthorized', name
-                    pass
+                # Check security.
+                if hasattr(object, 'aq_acquire'):
+                    object.aq_acquire(
+                        name, validate2, securityManager.validate)
                 else:
-                    if not securityManager.validate(
-                        object, None, name, o):
+                    if not securityManager.validate(object, object, name, o):
                         raise 'Unauthorized', name
-                    pass
-                        
             else:
                 o=object[name]
                 if not securityManager.validate(object, object, None, o):
@@ -374,3 +386,9 @@
         object = o
 
     return object
+
+
+def validate2(orig, inst, name, v, real_validate):
+    if not real_validate(orig, inst, name, v):
+        raise 'Unauthorized', name
+    return 1