New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chameleon.zpt.template.Macros is missing a security declaration #210

icemac opened this Issue Oct 23, 2017 · 0 comments


None yet
1 participant

icemac commented Oct 23, 2017

Imagine the following scenario in Zope 2.13 using through the web PageTemplates:

Contents of PageTemplage named master:

<span metal:define-macro="foo">bar</span>

Contents of another PageTemplate:

<span metal:use-macro="here/master/macros/foo" />
<span metal:use-macro="python:here.master.macros['foo']" />

The latter PageTemplate renders as bar bar.

On Zope 4 the same scenario behaves differently:

<span metal:use-macro="here/master/macros/foo" />

successfully renders bar but

<span metal:use-macro="python:here.master.macros['foo']" />

raises an Unauthorized exception which manifests in a basic auth password dialog.

The reason seems to be that the following classes have no security declarations:

  • chameleon.zpt.template.Macros
  • chameleon.zpt.template.Macro

This breaks using the __getitem__ style when using macros.

@icemac icemac added this to the 4.0b3 milestone Oct 23, 2017

@icemac icemac modified the milestones: 4.0b3, 4.0b4 Feb 2, 2018

@icemac icemac modified the milestones: 4.0b4, 4.0b5 Apr 23, 2018

@icemac icemac modified the milestones: 4.0b5, 4.0b6 May 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment