[Zope] =?iso-8859-1?Q?R=E9f=2E_=3A_Re=3A_[Zope-CMF]_[HELP]_Use_of_=22portal?= =?us-ascii?Q?=5Fmetadata?= =?us-ascii?Q?=22_?= =?us-ascii?Q?in?= a DTML file

flemaitre@fede.generali.fr flemaitre@fede.generali.fr
Tue, 23 Apr 2002 10:31:11 +0200


--=_mixed 002F0C27C1256BA4_=
Content-Type: multipart/alternative; boundary="=_alternative 002F0C27C1256BA4_="


--=_alternative 002F0C27C1256BA4_=
Content-Type: text/plain; charset="us-ascii"

Hello Tres,

>> If you would, please try the attached patch and see if it helps.
Thanks a lot for your help : i don't really understand how it work... but 
it works !!
I'll put this bug into the tracker ASAP.


But there's a another little problem : the "MetaDataTool.py" with your 
patch doesn't still works with the ZMI.


>> Votre anglais est tres superieur de mon francais. :)
Not so bad ! ;-)


Thanks.
Fred.






Tres Seaver <tseaver@zope.com>
22/04/2002 16:27

 
        Pour :  flemaitre@fede.generali.fr
        cc :    Zope-CMF@zope.org, zope@zope.org
        Objet : Re: [Zope-CMF] [HELP] Use of "portal_metadata" in a DTML file


On Mon, 2002-04-22 at 09:56, flemaitre@fede.generali.fr wrote:
> Hello,
> 
> I'm using the tool "portal_metadata"  in order to fix a policy of 
metadata 
> for my site.
> But i have a problem :
>         - I'm making a DTML form wich allow my users to modify the 
> Elements of the "portal_metadata" instance
>         - In this DTML form, i get the list of metadata elements by 
using 
> : "portal_metada.listElementSpecs()" ==> Ok
>         - I want to access (and to modify) the detail of these elements 
by 
> using :
>                 * portal_metadata.getElementSpec(element='My 
> metadata').isRequired()
>                 * portal_metadata.getElementSpec(element='My 
> metadata').isMultiValued()
>                 * etc....
> 
>          ==> It doesn't work, Zope says "You are not authorized to 
access 
> isMultiValued", but i'm "Manager" what does it mean ?
>         From the ZMI, the form "metadataElementPolicies.dtml" (of 
> CMFDefault) does the same thing, and it's work.... Why ?

The ZMI version is a class method, and hence operates as "trusted" code;
it doesn't surface the bug you found.  The 'getElementSpec' method
returns the ElementSpec instance without wrapping it in itself, which
means that your DTML method cannot do the security checks properly.

If you would, please try the attached patch and see if it helps.

Please report this as a bug to the tracker.

> Excuse my english.... ;-)

Votre anglais est tres superieur de mon francais. :)

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com



--=_alternative 002F0C27C1256BA4_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2 face="sans-serif">Hello Tres,</font>
<br>
<br><font size=2 face="Courier New">&gt;&gt; If you would, please try the attached patch and see if it helps.</font>
<br><font size=2 face="sans-serif">Thanks a lot for your help : i don't really understand how it work... but it works !!</font>
<br><font size=2 face="sans-serif">I'll put this bug into the tracker ASAP.</font>
<br>
<br>
<br><font size=2 face="sans-serif">But there's a another little problem : the &quot;MetaDataTool.py&quot; with your patch doesn't still works with the ZMI.</font>
<br>
<br>
<br><font size=2 face="Courier New">&gt;&gt; Votre anglais est tres superieur de mon francais. :)<br>
Not so bad ! ;-)</font>
<br>
<br>
<br><font size=2 face="Courier New">Thanks.</font>
<br><font size=2 face="Courier New">Fred.</font>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tres Seaver &lt;tseaver@zope.com&gt;</b></font>
<p><font size=1 face="sans-serif">22/04/2002 16:27</font>
<br>
<td><font size=1 face="Arial">&nbsp; &nbsp; &nbsp; &nbsp; </font>
<br><font size=1 face="sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; Pour : &nbsp; &nbsp; &nbsp; &nbsp;flemaitre@fede.generali.fr</font>
<br><font size=1 face="sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; cc : &nbsp; &nbsp; &nbsp; &nbsp;Zope-CMF@zope.org, zope@zope.org</font>
<br><font size=1 face="sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; Objet : &nbsp; &nbsp; &nbsp; &nbsp;Re: [Zope-CMF] [HELP] Use of &quot;portal_metadata&quot; in a DTML file</font></table>
<br>
<br>
<br><font size=2 face="Courier New">On Mon, 2002-04-22 at 09:56, flemaitre@fede.generali.fr wrote:<br>
&gt; Hello,<br>
&gt; <br>
&gt; I'm using the tool &quot;portal_metadata&quot; &nbsp;in order to fix a policy of metadata <br>
&gt; for my site.<br>
&gt; But i have a problem :<br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; - I'm making a DTML form wich allow my users to modify the <br>
&gt; Elements of the &quot;portal_metadata&quot; instance<br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; - In this DTML form, i get the list of metadata elements by using <br>
&gt; : &quot;portal_metada.listElementSpecs()&quot; ==&gt; Ok<br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; - I want to access (and to modify) the detail of these elements by <br>
&gt; using :<br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; * portal_metadata.getElementSpec(element='My <br>
&gt; metadata').isRequired()<br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; * portal_metadata.getElementSpec(element='My <br>
&gt; metadata').isMultiValued()<br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; * etc....<br>
&gt; <br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;==&gt; It doesn't work, Zope says &quot;You are not authorized to access <br>
&gt; isMultiValued&quot;, but i'm &quot;Manager&quot; what does it mean ?<br>
&gt; &nbsp; &nbsp; &nbsp; &nbsp; From the ZMI, the form &quot;metadataElementPolicies.dtml&quot; (of <br>
&gt; CMFDefault) does the same thing, and it's work.... Why ?<br>
<br>
The ZMI version is a class method, and hence operates as &quot;trusted&quot; code;<br>
it doesn't surface the bug you found. &nbsp;The 'getElementSpec' method<br>
returns the ElementSpec instance without wrapping it in itself, which<br>
means that your DTML method cannot do the security checks properly.<br>
<br>
If you would, please try the attached patch and see if it helps.<br>
<br>
Please report this as a bug to the tracker.<br>
<br>
&gt; Excuse my english.... ;-)<br>
<br>
Votre anglais est tres superieur de mon francais. :)<br>
<br>
Tres.<br>
-- <br>
===============================================================<br>
Tres Seaver &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tseaver@zope.com<br>
Zope Corporation &nbsp; &nbsp; &nbsp;&quot;Zope Dealers&quot; &nbsp; &nbsp; &nbsp; http://www.zope.com<br>
</font>
<br>
<br>
--=_alternative 002F0C27C1256BA4_=--
--=_mixed 002F0C27C1256BA4_=
Content-Type: application/octet-stream; name="MetadataTool.py.diff"
Content-Disposition: attachment; filename="MetadataTool.py.diff"
Content-Transfer-Encoding: base64

SW5kZXg6IENNRkRlZmF1bHQvTWV0YWRhdGFUb29sLnB5DQo9PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTog
L2N2cy1yZXBvc2l0b3J5L0NNRi9DTUZEZWZhdWx0L01ldGFkYXRhVG9vbC5weSx2DQpyZXRyaWV2
aW5nIHJldmlzaW9uIDEuMTMNCmRpZmYgLXUgLXIxLjEzIE1ldGFkYXRhVG9vbC5weQ0KLS0tIENN
RkRlZmF1bHQvTWV0YWRhdGFUb29sLnB5CTIxIE1hciAyMDAyIDE2OjQ3OjU2IC0wMDAwCTEuMTMN
CisrKyBDTUZEZWZhdWx0L01ldGFkYXRhVG9vbC5weQkyMiBBcHIgMjAwMiAxNDoyMTowMyAtMDAw
MA0KQEAgLTIxLDEzICsyMSwxMiBAQA0KIA0KIA0KIGZyb20gR2xvYmFscyBpbXBvcnQgSW5pdGlh
bGl6ZUNsYXNzLCBEVE1MRmlsZQ0KLWZyb20gUGVyc2lzdGVuY2UgaW1wb3J0IFBlcnNpc3RlbnQN
CiBmcm9tIEFjY2Vzc0NvbnRyb2wgaW1wb3J0IENsYXNzU2VjdXJpdHlJbmZvLCBnZXRTZWN1cml0
eU1hbmFnZXINCiBmcm9tIFByb2R1Y3RzLkNNRkNvcmUgaW1wb3J0IENNRkNvcmVQZXJtaXNzaW9u
cw0KIGZyb20gUHJvZHVjdHMuQ01GQ29yZS5BY3Rpb25Qcm92aWRlckJhc2UgaW1wb3J0IEFjdGlv
blByb3ZpZGVyQmFzZQ0KIGZyb20gdXRpbHMgaW1wb3J0IF9kdG1sZGlyDQogDQotY2xhc3MgTWV0
YWRhdGFFbGVtZW50UG9saWN5KCBQZXJzaXN0ZW50ICk6DQorY2xhc3MgTWV0YWRhdGFFbGVtZW50
UG9saWN5KCBTaW1wbGVJdGVtICk6DQogICAgICIiIg0KICAgICAgICAgUmVwcmVzZW50IGEgdHlw
ZS1zcGVjaWZpYyBwb2xpY3kgYWJvdXQgYSBwYXJ0aWN1bGFyIERDTUkgZWxlbWVudC4NCiAgICAg
IiIiDQpAQCAtMTE2LDcgKzExNSw3IEBADQogICAgICAgICAgICAgICAgICAgICAgICAgLCAoICdS
aWdodHMnLCAwICkNCiAgICAgICAgICAgICAgICAgICAgICAgICApDQogDQotY2xhc3MgRWxlbWVu
dFNwZWMoIFBlcnNpc3RlbnQgKToNCitjbGFzcyBFbGVtZW50U3BlYyggU2ltcGxlSXRlbSApOg0K
ICAgICAiIiINCiAgICAgICAgIFJlcHJlc2VudCBhbGwgdGhlIHRvb2wga25vd3MgYWJvdXQgYSBz
aW5nbGUgbWV0YWRhdGEgZWxlbWVudC4NCiAgICAgIiIiDQpAQCAtMzk3LDcgKzM5Niw3IEBADQog
ICAgICAgICAgICAgUmV0dXJuIGFuIEVsZW1lbnRTcGVjIHJlcHJlc2VudGluZyB0aGUgdG9vbCdz
IGtub3dsZWRnZQ0KICAgICAgICAgICAgIG9mICdlbGVtZW50Jy4NCiAgICAgICAgICIiIg0KLSAg
ICAgICAgcmV0dXJuIHNlbGYuZWxlbWVudF9zcGVjc1sgZWxlbWVudCBdDQorICAgICAgICByZXR1
cm4gc2VsZi5lbGVtZW50X3NwZWNzWyBlbGVtZW50IF0uX19vZl9fKCBzZWxmICkNCiANCiAgICAg
c2VjdXJpdHkuZGVjbGFyZVByb3RlY3RlZCggQ01GQ29yZVBlcm1pc3Npb25zLk1hbmFnZVBvcnRh
bA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLCAnYWRkRWxlbWVudFNwZWMnICkNCg==
--=_mixed 002F0C27C1256BA4_=--