On 21/01/2004, at 2:34 AM, Tres Seaver wrote:
Zope 2.6.3 added a new security check for untrusted code, to ensure that the "bindings" created (in particular, 'context' and 'container') weren't set up if the user didn't have access to the bound objects.
You can either:
- On the template's "Bindings" tab, unbind the 'context' name (assuming that your template does not use either 'context' or 'here')
- Give the template a proxy role of 'Manager'.
Don't suppose you can be more specific on 'has access'. According to my security tab, my container has both View and Access Contents Information granted to Authenticated. Somewhere, I'm losing authorization where in 2.7b3 I wasn't. I think I've tracked down a minimal example, the trigger being my use of __allow_access_to_unprotected_subobjects__ = None. I'm thinking this recent change is incompatible if a parent object tightens security in this way or uses security.setDefaultAccess('deny'). The work around is to explicity grant access to the name '' as I've done in the attached example. Should policy.validate(name='') be changed to cope with this situation, or shall I update CHANGES.txt and ClassSecurityInfo.setDefaultAccess attempting to explain the situation and the fix? -- Stuart Bishop <stuart@stuartbishop.net> http://www.stuartbishop.net/