[ZPT] using TALES expressions elsewhere

Martijn Faassen faassen@vet.uu.nl
Fri, 5 Oct 2001 21:59:07 +0200


Evan Simpson wrote:
> Martijn Faassen wrote:
> 
> > python: field.my_python_script()
> >
> > This works just fine. Now I have attempted the same, but as  anonymous
> > while anonymous had no permission to 'view'  my_python_script, to make
> > sure the security issues are okay.
> >
> > Error Value: exceptions.AttributeError on my_python_script in ""
> >
> > File Python expression "field.my_python_script()", line 2, in f (Object:
> >  guarded_getattr) File
> > /home/faassen/XMLZope/lib/python/AccessControl/ZopeGuards.py, line 120,
> >  in guarded_getattr (Object: sf)
> 
> This is the security machinery trying to apply the the principle "if you 
> aren't allowed to see it, we should just tell you it isn't there".  It 
> fails, unfortunately, since the traceback gives the game away.

I suspected it would be something like this, but I just wanted to make
sure. So is it correct that TALES expressions when called through
this sequence:

   expr = getEngine().compile(expression_ext)
   result = getEngine().getContext(some_object=my_zope_object).evaluate(expr)

shouldn't be able to do something that the user is not allowed to do?

If not, I'll quickly have to put out a bugfix release for Formulator. :)

Another question is can I store 'expr' in the ZODB? When I tried I
got a pickle error, so superficially this is not the case. In my case
it would optimize things some, though. Does ZPT make this optimization? 
One would think it would help speed things up.

Thanks,

Martijn