I noticed that the most recent hotfix completely denies access to the getClassAttr, setClassAttr and delClassAttr from DTML. Is this going to be the behavior for future Zope versions?
Yes - I think that manipulating actual class objects from DTML is a Bad Thing.
I know this will break code, so it might be prudent to alert people when the fix is rolled into the next Zope release.
I would like to argue for deprecating these functions in favor of making the ZClass act like a dictionary so that:
ZClass.set('name',value) ZClass.get('name'[,inherit]) ZClass['name']
could be called securely from scripts. I would be willing to write the code for this if you think it would be a good idea.
I'm not sure why you're wanting to do that, so it scares me :) I think that manipulation of class objects is beyond the scope of what "DTML scripters" should reasonably expect to be able to do. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com