Storm

security proxied getslice on ResultSet

Bug #237615 reported by Jürgen Kartnaller on 2008-06-05

4

Affects		Status	Importance	Assigned to	Milestone
	Storm	Fix Released	Low	Jamu Kakar

Bug Description

Slicing on a security proxied ResultSet is not possible.

This happens because Python first checks for the existence of __getslice__.

__getslice__ is not included in IResultSet which leads to an attribute error.

Solution :
- add __getslice__ to IResultSet
- or add <allow attributes="__getslice__" /> to the zcml class directive.

Workaround until this is fixed :

Add this to your zcml :

<class class="storm.store.ResultSet">
<allow attributes="__getslice__" />
</class>

Related branches

lp:~jkakar/storm/allow-get-slice (Merged)

Revision history for this message

Jamu Kakar (jkakar) wrote on 2008-06-05:

#1

I've pushed a branch with the following trivial diff:

=== modified file 'storm/zope/configure.zcml'
--- storm/zope/configure.zcml 2007-08-05 22:15:26 +0000
+++ storm/zope/configure.zcml 2008-06-05 22:01:38 +0000
@@ -11,6 +11,7 @@

     <class class="storm.store.ResultSet">
         <allow interface=".interfaces.IResultSet" />
+ <allow attributes="__getslice__" />
     </class>

<class class="storm.store.EmptyResultSet">

The reason I'm not merging it directly to trunk is that I'm not 100%
sure we want this. Isn't __getitem__ used in preference to
__getslice__?

Changed in storm:
assignee:	nobody → jkakar
importance:	Undecided → Low
status:	New → In Progress

Revision history for this message

Gustavo Niemeyer (niemeyer) wrote on 2008-06-05:

#2

+1 on the change!

Indeed __getitem__ is preferrable, but the issue is that CPython will look
for __getslice__ even if it's not using it.

Revision history for this message

James Henstridge (jamesh) wrote on 2008-06-06:

#3

I'd add the method to IResultSet, actually. That way it'll apply to EmptyResultSet too.

Other than that, +1 from me.

Revision history for this message

Gustavo Niemeyer (niemeyer) wrote on 2008-06-06:

#4

But the method isn't actually present in either of them, James. We're just allowing
Python to see that the method it should use is __getitem__. If we add it to the
interface we'll have to implement and test it on them too.

Revision history for this message

James Henstridge (jamesh) wrote on 2008-06-07:

#5

Fair enough. In any case, I'd like to see __getslice__ as an allowed attribute on EmptyResultSet if it is allowed on ResultSet.

Revision history for this message

Jürgen Kartnaller (jukart) wrote on 2008-06-07:

#6

I would also prefer the "allow attributes" variant because __getslice__ is not really implemented.
Adding it to the interface would mislead one to use it.
And of course it should then also be added to EmptyResultSet.

Revision history for this message

Jamu Kakar (jkakar) wrote on 2008-06-09:

#7

Merged to trunk [r=jamesh,niemeyer].

Changed in storm:
status:	In Progress → Fix Committed

Revision history for this message

Jamu Kakar (jkakar) wrote on 2008-06-18:

#8

Oops, apparently I forgot to commit the merge. This is now in
storm/trunk r239.

Revision history for this message

James Henstridge (jamesh) wrote on 2008-08-29:

#9

Fix released in 0.13.

Changed in storm:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related questions

Netflix Desktop: Silverlight 5.1 Plugin Crash on Ubuntu 13.10

Remote bug watches

Bug watches keep track of this bug in other bug trackers.