On 01 Aug 2001 13:01:21 -0700, Michael R. Bernstein wrote:
On 01 Aug 2001 20:01:12 +0200, Joachim Werner wrote:
Supposedly, setting __allow_access_to_unprotected_subobjects__ = 0
I **might** have found an answer to this: [snip] Seems that "__allow_access_to_unprotected_subobjects__ = 0" is wrong. It should either be "1" or a dictionary of permissions ...
Does that help a bit?
Ok, so I tried to set '__allow_access_to_unprotected_subobjects__ = {}' in the class, but this *still* has no effect.
Correction: This *does* disallow access to attributes and methods from unrestricted code, ie: <dtml-with TestInstance> <dtml-var method> </dtml-with> raises an unauthorized exception (progress!). However, *traversing* to the unprotected methods is still being alowed, where I'm fairly certain that it shouldn't be. The only thing I'm doing with traversal (assuming that my code is at fault here) is the following: def __getitem__(self, id): return self.Entries[id].__of__(self) Entries is a dictionary that uses id as a key, and instances of my EntryClass as values. Could this be screwing with the security somehow, and allowing access to unprotected methods of my main class? Thanks for the help, michael Bernstein.