Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

portal_registry.get fails for anonymous user in skin templates #1292

Closed
mauritsvanrees opened this issue Dec 21, 2015 · 2 comments
Closed

portal_registry.get fails for anonymous user in skin templates #1292

mauritsvanrees opened this issue Dec 21, 2015 · 2 comments

Comments

@mauritsvanrees
Copy link
Member

Several browser view templates use context.portal_registry.get and this works fine, for example Products/CMFPlone/browser/templates/contact-info-email.pt.

But in old style skin templates it fails for anonymous users. In core Plone 5 this is for these templates:

ATContentTypes/skins/ATContentTypes/atct_topic_pdf.pt
ATContentTypes/skins/ATContentTypes/atct_topic_subtopics.pt
CMFPlone/skins/plone_content/folder_full_view_item.pt

@topiaruss This is the problem you reported in irc, caused by the second template. The offending code looks like this:

<tal:topiccontents define="
  topicContents python:here.queryCatalog(batch=True);
  use_view_action python:context.portal_registry.get('plone.types_use_view_action_in_listings', []);
  batch topicContents;"
  on-error="python:request.RESPONSE.redirect(context.absolute_url())">...</tal:topiccontents>

Workaround: change this to context.portal_registry['plone.types_use_view_action_in_listings'] and it works. You don't get the benefit of the more gracious fallback when this registry setting does not exist, but so be it. I think I will commit this.

Question I have is: should we allow access to portal_registry.get in these kinds of templates? But for now it seems easier to fix these three templates.

For reference a way to reproduce the error:

  • Create a Plone 4.1 site.
  • Create an old-style Topic (ATContentTypes).
  • Update the buildout to Plone 5.0.
  • Run the standard plone-upgrade, but not the content types upgrade.
  • As admin visit the old style Topic. No problem, except that I saw a csrf confirmation dialog first.
  • As anonymous user visit the old style topic. Due to the on-error in the template you get redirected, but the url is the same page, so you get redirected again. And again. Etcetera.

Another way to reproduce a similar error, due to the use of .get in folder_full_view_item.pt:

  • Create a Plone 5.0 site.
  • As anonymous user, visit folder_full_view in the Plone Site root. You get an Unauthorized exception because of the disallowed use of portal_registry.get.
mauritsvanrees added a commit to plone/Products.ATContentTypes that referenced this issue Dec 21, 2015
@mauritsvanrees
Fixed Unauthorized error causing a redirect loop in old style Topics.
b6d667a 
This only happened for anonymous users.

Fixes issue plone/Products.CMFPlone#1292
mauritsvanrees added a commit to plone/buildout.coredev that referenced this issue Dec 21, 2015
@mauritsvanrees
[fc] Repository: Products.ATContentTypes
46f9097 
Branch: refs/heads/master
Date: 2015-12-21T15:30:44+01:00
Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org>
Commit: plone/Products.ATContentTypes@b6d667a

Fixed Unauthorized error causing a redirect loop in old style Topics.

This only happened for anonymous users.

Fixes issue plone/Products.CMFPlone#1292

Files changed:
M CHANGES.rst
M Products/ATContentTypes/skins/ATContentTypes/atct_topic_pdf.pt
M Products/ATContentTypes/skins/ATContentTypes/atct_topic_subtopics.pt
M Products/ATContentTypes/skins/ATContentTypes/atct_topic_view.pt
mauritsvanrees added a commit that referenced this issue Dec 21, 2015
@mauritsvanrees
Fixed Unauthorized error in folder_full_view for anonymous users.
2eded98 
Fixes issue #1292
mauritsvanrees added a commit to plone/buildout.coredev that referenced this issue Dec 21, 2015
@mauritsvanrees
[fc] Repository: Products.CMFPlone
42b9206 
Branch: refs/heads/master
Date: 2015-12-21T15:37:55+01:00
Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org>
Commit: plone/Products.CMFPlone@2eded98

Fixed Unauthorized error in folder_full_view for anonymous users.

Fixes issue plone/Products.CMFPlone#1292

Files changed:
M CHANGES.rst
M Products/CMFPlone/skins/plone_content/folder_full_view_item.pt
@mauritsvanrees
Copy link
Member Author

I have released Products.ATContentTypes 2.2.10 with fixes.

@jensens
Copy link
Member

jensens commented Feb 10, 2016

i think we can close this one

@jensens jensens closed this as completed Feb 10, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jensens @mauritsvanrees