[ZPT] ZPT + ParsedXML strangeness (acquisition vs. getattr)

Willem Broekema willem@pastelhorn.com
Sun, 09 Dec 2001 23:53:07 +0100 

Hi -- here's a strange behaviour using Page Templates and ParsedXML. I 
already posted this in Zope-xml, without response so far.

The files (also in wilm.nl/test with u/p faassen:faassen):

--- xml : ParsedXML ---------------------------------------------
<?xml version="1.0" ?>
<doc>
<a>a elm 1</a>
</doc>

--- pt_een : ZPT -------------------------------------------------
<div tal:repeat="a python:here.xml[0].getElementsByTagName('a')">
<div tal:content="structure a/pt_twee">a/pt_twee</div>
</div>

--- pt_twee : ZPT ------------------------------------------------
something
------------------------------------------------------------------

Calling:
    xml/pt_een

results in:

   if I'm logged in as 'manager':
     "something"  # this is correct

   if I'm not logged in:
     "Error Type: TALESError
      Error Value: exceptions.ValueError on invalid literal for int():
                   pt_twee in "<PathExpr standard:a/pt_twee>"


Now, creating a "Script (Python)" with proxy 'manager':

--- py : Script (Python) -----------------------------------------
return context.xml.pt_een()
------------------------------------------------------------------

and calling that gives the same exception, which is strange, as as manager 
it's ok.


Changing the line in ZPT pt_een from:
   <div tal:content="structure a/pt_twee">a/pt_twee</div>
to:
   <div tal:content="structure python: a.pt_twee()">a/pt_twee</div>

results in:
    Error Type: TALESError
    Error Value: exceptions.AttributeError on pt_twee
                 in <PythonExpr a.pt_twee()>


So, what Martijn Faassen concluded (thanks for looking into it!):

   - when logged in as manager, Zope (correctly!) applies the acquired
     ZPT 'pt_twee' to the XML node;

   - when not, even with a proxy role, Zope (incorrectly!) tries to
     fetch the 'pt_twee' *index* of the XML node -
     getitem(a, 'pt_twee'); probably because of some security issue(?)


Could someone explain this, or confirm this is a bug?

Again, all files are accessible on my site mentioned above, in case you 
want to see the full traceback etc.

- Willem