[ZPatterns] large ZPatterns bug with Zope 2.4: sort of fixed

[Steve Alexander]

Steve Alexander wrote:

>
> I've a feeling it is something to do with the new restricted execution 
> stuff.


The symptoms of problem get solved if you add a guarded_getattr 
attribute to the class NamespaceStack in Expressions.py:



class NamespaceStack(TemplateDict):
     """A DTML-style namespace stack, complete with Zope security

     To use, just create one with 'NamespaceStack()', then use its 
'_push()' and
     '_pop()' methods to add/remove mapping objects.  If you need to push a
     regular object instance (ala DTML's "with" tag), use::

       stack._push(InstanceDict(object,stack))"""


     # added as a fix for Zope 2.4 problems.
     guarded_getattr=None

     # Called by Zope only
     def validate(self, inst, parent, name, value, md):
         return getSecurityManager().validate(inst, parent, name, value)


This works because the problem is caused by InstanceDict assuming that 
the namespace it is passed will contain a guarded_getattr attribute.

See pDocumentTemplate.py, line 129.

I've no idea what the implications of this for security are.

Next, I need to look at how other parts of Zope use InstanceDict, and 
see if I can figure out how this is all supposed to go.

--
Steve Alexander