RestrictedPython icon indicating copy to clipboard operation
RestrictedPython copied to clipboard
verified publisher icon zopefoundation

Why is access to macros of a template disallowed in RestrictedPython?

Open pbauer opened this issue 6 years ago • 3 comments

Following up from https://github.com/plone/Products.CMFPlone/pull/2839:

Why does RestrictedPython not allow to use python:mytemplate.macros['master'] in a template but mytemplate/macros/master is allowed? macros is the property chameleon.zpt.program.import.macros which returns a chameleon.zpt.template.Macros object.

Allowed:

<pre tal:define="template python:context.restrictedTraverse('@@main_template')"
     tal:content="template/macros"></pre>

Not allowed:

<pre tal:define="template python:context.restrictedTraverse('@@main_template')"
     tal:content="python:template.macros"></pre>

pbauer avatar Apr 15 '19 16:04 pbauer

In Zope itself we solved this issue here: https://github.com/zopefoundation/Zope/pull/503

dataflake avatar Apr 16 '19 02:04 dataflake

@dataflake thanks for the info. I don't get why tal:content="python:template.macros" does not work in Plone (we use Zope 4.0b10 which has the mentioned fix).

pbauer avatar Apr 16 '19 14:04 pbauer

Running this in a Zope instance with security-policy-implementation python and verbose-security on helped me debug the original issue in Zope

dataflake avatar Apr 16 '19 14:04 dataflake