Resource directories are not traversable

Hello,

   I wrote two functional tests in five.grok, which ask to render in a template:

  <span
   tal:condition="exists: view/static/style.css">Test succeed</span>
  <span
    tal:condition="exists: view/static/nonexistant.css">Test failed</span>

   And:

  <span
   tal:condition="exists: context/++resource++five.grok.ftests.view/style.css">Test succeed</span>
  <span
   tal:condition="exists: context/++resource++five.grok.ftests.view/nonexistant.css">Test failed</span>

   And both examples work without any problems. Could you help me to reproduce that bug ? Maybe it's the ResourceRegistry which does some strange hacks.

   Sylvain,

Hi Sylvain,

I came across this again and did some more debugging.

Is your test using a browser view? If so, it wouldn't trigger the error, because it probably only happens in protected code.

Basically, I think the problem is this:

 - The expression does exists:portal/++resource++foo.bar/some-stylesheet.css
 - This finds the ZopeTwoDirectoryResource for ++resource++foo.bar
 - It then tries to traverse to some-stylesheet.css, which calls restrictedTraverse() on the ZopeTwoDirectoryResource
 - This ends up calling validate() on the security manager
 - This ends up here, in AccessControl.ImplPython:

            p = Containers(type(container), None)
            if p is None:
                p = getattr(container,
                            '__allow_access_to_unprotected_subobjects__',
                            None)

            if p is not None:
                if not isinstance(p, int): # catches bool too
                    if isinstance(p, dict):
                        if isinstance(name, basestring):
                            p = p.get(name)
                        else:
                            p = 1
                    else:
                        p = p(name, value)

            if not p:
                if self._verbose:
                    raiseVerbose(
                        'The container has no security assertions',
                        accessed, container, name, value, context)
                raise Unauthorized(name, value)

The variables are:

(Pdb) pp accessed, container, name, value, context
(<five.grok.components.ZopeTwoDirectoryResource object at 0x6dd48b0>,
 <five.grok.components.ZopeTwoDirectoryResource object at 0x6dd48b0>,
 None,
 <Products.Five.browser.resource.FileResource object at 0x6dd4910>,
 <AccessControl.SecurityManagement.SecurityContext instance at 0x6da51e8>)

As you can see from this code, it's trying to determine if you're allowed to access an item in a container. For that to be allowed, you need to set __allow_access_to_unprotected_subobjects__ to True (or to a method that returns True when called with the sub-item name).

Therefore, adding this to ZopeTwoDirectoryResource seems to do the trick:

class ZopeTwoDirectoryResource(resource.DirectoryResource):
    __allow_access_to_unprotected_subobjects__ = True

Do you agree with this?

Cheers,
Martin

Okay, I checked in this fix in r100565.

Hello,

    I was confused, I got the same bug on Plone, but still could not reproduce it in tests in five.grok. I look at your fix, this seems ok to me. I am going to make a new release today, since I need it as well (and add you on the cheeseshop as well).

    First I need to fix the buildout to be able to run the tests, it's pulling me zope.site and co.

    Best regards,

    Sylvain,