[Zope] Probably Zope Bug (was: Re: [Zope] all DTML Methods of current folder and subfolder)

Dieter Maurer dieter@handshake.de
Wed, 26 Jul 2000 00:13:07 +0200 (CEST)


Jerome Alet writes:
 > Thanks to you, the syntax you gave me is accepted by the dtml parser, but
 > both
 > 
 > <dtml-in "ZopeFind(this(), obj_metatypes=['Folder'], 
 >           obj_expr='''not objectValues(['Folder'])''', 
 >           search_sub=1)">
 > 
 > and 
 > 
 > <dtml-in "ZopeFind(this(), obj_metatypes=['Folder'],  
 >           obj_expr='not objectValues([\'Folder\'])',
 >           search_sub=1)">
 > 
 > have given me an empty list.
I analysed this strange behavior in Zope 2.1.6
and have a partial explanation.

  Although the permission setting for "objectValues"
  is "Access contents information" which by default
  is granted to "Anonymous" and "Manager",
  only "Manager" is allowed to access "objectValues"
  in the context of the above "ZopeFind".

  I could not yet determine, why this is the case.

  But taken this fact for granted, the behavior
  becomes clear: the access to "objectValues" results
  in an "Unauthorized" exception. This
  is catched but prevents any object from being
  added to the result list.

Workaround:
  you need to add the REQUEST parameter to "ZopeFind".
  i.e.:
   <dtml-in "ZopeFind(this(), obj_metatypes=['Folder'],  
             obj_expr='not objectValues([\'Folder\'])',
             search_sub=1, REQUEST=REQUEST)">
  
  This allows ZopeFind to use AUTHENTICATED_USER for
  validation of the "objectValue" access.

  The code will then work at least for the manager.

  Hopefully (not tested) a manager proxy role will
  make it work for arbitrary users, too.


I will investigate further, why "this().objectValues__roles__"
returns "('Manager',)" rather than "('Anonymous','Manager')".
However, this can take quite some time because I am
currently a bit stressed.


Dieter