comments and Acquisition question

classic Classic list List threaded Threaded
6 messages Options
khink khink
Reply | Threaded
Open this post in threaded view
|

comments and Acquisition question

Is it normal that a comments parent has different permissions depending
on how you get to it? This is from a ./bin/instance debug session:

 >>> comment.__parent__.__parent__ == article
True
 >>> user_nobody.has_permission('View',comment.__parent__.__parent__)
 >>> user_nobody.has_permission('View',article)
1

Leading up to this was:

from AccessControl.SpecialUsers import nobody as user_nobody
from plone.app.discussion.interfaces import IConversation
website = app.website
wftool = website.portal_workflow
autoren = website.autoren
test = autoren.test
article = test.get('geh-doch-nach-berlin')
conversation = IConversation(article)
comments = [x for x in conversation._comments.values()]
comment = comments[0]


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Dieter Maurer Dieter Maurer
Reply | Threaded
Open this post in threaded view
|

Re: comments and Acquisition question

Kees Hink <[hidden email]> writes:

> Is it normal that a comments parent has different permissions depending
> on how you get to it? This is from a ./bin/instance debug session:

Zope 2 uses acquisition (i.e. the access path to an object) to
evaluate permissions - though only the "containment part" of the
acquisition context. Thus, in principle, the permission evaluation
can give different results when you have accessed an object in a
non standard way.

>  >>> comment.__parent__.__parent__ == article
> True
>  >>> user_nobody.has_permission('View',comment.__parent__.__parent__)
>  >>> user_nobody.has_permission('View',article)
> 1

I expect that the acquisition context of
"comment.__parent__.__parent__" differs from that of "article" --
probably due to some bug.

There is an old script of Shane (Hasaway ?) name "showaq", which
allows you to easily visualise an acquisition context.


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
khink khink
Reply | Threaded
Open this post in threaded view
|

Re: comments and Acquisition question

Thanks for your reply, much appreciated.

Without being able to find Shane( Hathaway)'s script, aq_chain provides
some info:
aq_chain(conversation) has the whole chain, from the Zope root down.
aq_chain(comment) has only Comment, Conversation, and Article.
Also, when i explicitly put the comment in a context, using
aq_chain(comment.__of__(conversation)), i get the whole chain.

On 05/04/2013 08:50 AM, dieter wrote:

> Kees Hink <[hidden email]> writes:
>
>> Is it normal that a comments parent has different permissions depending
>> on how you get to it? This is from a ./bin/instance debug session:
>
> Zope 2 uses acquisition (i.e. the access path to an object) to
> evaluate permissions - though only the "containment part" of the
> acquisition context. Thus, in principle, the permission evaluation
> can give different results when you have accessed an object in a
> non standard way.
>
>>   >>> comment.__parent__.__parent__ == article
>> True
>>   >>> user_nobody.has_permission('View',comment.__parent__.__parent__)
>>   >>> user_nobody.has_permission('View',article)
>> 1
>
> I expect that the acquisition context of
> "comment.__parent__.__parent__" differs from that of "article" --
> probably due to some bug.
>
> There is an old script of Shane (Hasaway ?) name "showaq", which
> allows you to easily visualise an acquisition context.
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
>



------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Dieter Maurer Dieter Maurer
Reply | Threaded
Open this post in threaded view
|

Re: comments and Acquisition question

Kees Hink <[hidden email]> writes:

> Without being able to find Shane( Hathaway)'s script, aq_chain provides
> some info:
> aq_chain(conversation) has the whole chain, from the Zope root down.
> aq_chain(comment) has only Comment, Conversation, and Article.

That explains the differences in the permission checks.

The shortened acquisition context is likely a bug.
You might consider filing a bug report.


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
khink khink
Reply | Threaded
Open this post in threaded view
|

Re: comments and Acquisition question

Thanks, i reopened https://dev.plone.org/ticket/13188#comment:3

On 05/08/2013 08:45 AM, dieter wrote:

> Kees Hink <[hidden email]> writes:
>
>> Without being able to find Shane( Hathaway)'s script, aq_chain provides
>> some info:
>> aq_chain(conversation) has the whole chain, from the Zope root down.
>> aq_chain(comment) has only Comment, Conversation, and Article.
>
> That explains the differences in the permission checks.
>
> The shortened acquisition context is likely a bug.
> You might consider filing a bug report.
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>



------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Jean Jordaan Jean Jordaan
Reply | Threaded
Open this post in threaded view
|

Re: comments and Acquisition question

In reply to this post by khink
On Tue, May 7, 2013 at 11:31 PM, Kees Hink <[hidden email]> wrote:
> Without being able to find Shane( Hathaway)'s script,

I believe this is it:
  http://old.zope.org/Members/chrisw/showaq

--
jean                                              . .. .... //\\\oo///\\

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users