[Zope] manage_addProperty [basic] syntax question

Dieter Maurer dieter@handshake.de
Tue, 17 Apr 2001 21:22:06 +0200 (CEST)


Jason Cunliffe writes:
 > From: "Dieter Maurer" <dieter@handshake.de>
 > > Jason Cunliffe writes:
 > >  > I have searched, and I know its really simple, but please can anyone
 > tell me
 > >  > how to take a working URL like this:
 > >  >
 > >  > http://Zsite231/images/manage_addProduct/Photo/PhotoAdd_version2
 > >
 > > Whenever you have a path (absolute, server local),
 > > you can use "restrictedTraverse" to resolve it into an
 > > object (under the condition of sufficient permissions).
 > 
 > Thanks
 > ....... so I tried this:
 > 
 > <dtml-var
 > "restrictedTraverse('/images/manage_addProduct/Photo/PhotoAdd_jason').absolu
 > te_url()">
 > 
 > following a syntax example from a post at
 > http://lists.zope.org/pipermail/zope/2000-September/117834.html
 > 
 > I imagine that you will not be surprised to learn that I keep getting a
 > Network Password dialog box popping up...
I looked at the source in "OFS.Traversable" and determined,
that "restrictedTraverse" validates access to each intermediate
step. "REQUEST.resolve_url" on the other hand validates only
the last step (I think, did not check).

Your traceback suggests that you do not have access to "Photo".
I cannot tell you, why. With the help of my DocFinder product

  URL:http://www.dieter.handshake.de/pyprojects/zope/DocFinder.html
  
I verified that my products allow access to "Anonymous" and
"Manager". Nevertheless, "restrictedTraverse" raises an
"Unauthorized". Maybe a bug in "getSecurityManager().validate"
or something with respect to acquisition or Zope permissions,
we do not yet understand.

Your options:

 * use "unrestrictedTraverse" (not directly allowed from DTML or
   Python script)

 * use "REQUEST.resolve_url"

 * find the reason, why Zope security does not work as we
   expect - maybe file a bug report.

Currently, I have not enough time to analyse the problem fully.


Dieter