[ZPT] using TALES expressions elsewhere

Martijn Faassen faassen@vet.uu.nl
Thu, 4 Oct 2001 21:42:02 +0200 

Hi there,

I'm attempting to use TALES expressions in Formulator (to enable
users to override field properties in a flexible manner).

So far I've been able to introduce it with a minimal amount of code
change, but there are still some issues remaining. One is security.

In a TALES Python expression that I've passed some keyword parameters
to for context ('field' and 'form' in this case, so far), I call
a Python script that is in the acquisition context:

python: field.my_python_script()

This works just fine. Now I have attempted the same, but as 
anonymous while anonymous had no permission to 'view' 
my_python_script, to make sure the security issues are
okay.

With the latest released version, I received the following traceback:
(sorry for the length, read on underneath it)

Error Type: TALESError
Error Value: exceptions.AttributeError on my_python_script in ""

Traceback (innermost last):
  File /home/faassen/XMLZope/lib/python/ZPublisher/Publish.py, line 223, in publish_module
  File /home/faassen/XMLZope/lib/python/ZPublisher/Publish.py, line 187, in publish
  File /home/faassen/XMLZope/lib/python/Zope/__init__.py, line 226, in zpublisher_exception_hook
    (Object: LockableItem)
  File /home/faassen/XMLZope/lib/python/ZPublisher/Publish.py, line 171, in publish
  File /home/faassen/XMLZope/lib/python/ZPublisher/mapply.py, line 160, in mapply
    (Object: index_html)
  File /home/faassen/XMLZope/lib/python/ZPublisher/Publish.py, line 112, in call_object
    (Object: index_html)
  File /home/faassen/XMLZope/lib/python/OFS/DTMLMethod.py, line 194, in __call__
    (Object: index_html)
  File /home/faassen/XMLZope/lib/python/DocumentTemplate/DT_String.py, line 546, in __call__
    (Object: index_html)
  File /home/faassen/XMLZope/lib/python/DocumentTemplate/DT_Util.py, line 231, in eval
    (Object: form.render())
    (Info: form)
  File <string>, line 2, in f
    (Object: guarded_getattr)
  File /home/faassen/XMLZope/lib/python/Products/Formulator/Form.py, line 263, in render
    (Object: LockableItem)
  File /home/faassen/XMLZope/lib/python/Products/Formulator/Field.py, line 176, in render
    (Object: sf)
  File /home/faassen/XMLZope/lib/python/Products/Formulator/Field.py, line 150, in _render_helper
    (Object: sf)
  File /home/faassen/XMLZope/lib/python/Products/Formulator/Field.py, line 163, in _get_default
    (Object: sf)
  File /home/faassen/XMLZope/lib/python/Products/Formulator/Field.py, line 96, in get_value
    (Object: sf)
  File /home/faassen/XMLZope/lib/python/Products/Formulator/TALESField.py, line 37, in __call__
  File /home/faassen/XMLZope/lib/python/Products/PageTemplates/TALES.py, line 295, in evaluate
  File /home/faassen/XMLZope/lib/python/Products/PageTemplates/ZRPythonExpr.py, line 121, in __call__
    (Info: field.my_python_script())
  File Python expression "field.my_python_script()", line 2, in f
    (Object: guarded_getattr)
  File /home/faassen/XMLZope/lib/python/AccessControl/ZopeGuards.py, line 120, in guarded_getattr
    (Object: sf)
TALESError: (see above)

Firstly, I'm glad that there is an exception.  But, this isn't a regular
security exception, so I'm wondering if I should be doing any other security 
checks to make sure nothing untowards can happen. In addition it would
also be nice to give a message to the user that is a bit more readable
to the developer than this one.

Thanks,

Martijn