14 Sep
2000
14 Sep
'00
2:36 p.m.
Shane Hathaway wrote:
How should I got about petitioning for <dtml-var anobject aq_context> to become valid syntax?
There's one little (okay, big) problem with this idea: aq_context strips the security context. In fact, it could be used to confuse the security machinery.
Let's say I'm Joe Hacker and I have set up membership at www.zope.org/Members/jhacker. I create a DTML method called index_html with this:
<dtml-with Members> <dtml-with hathawsh aq_context> <dtml-call expr="index_html.manage_edit('1 0WN U')"> </dtml-with> </dtml-with>
Alright, I give up :-( This would be really useful, but if it's going to open up security holes everywhere, then I best leave it alone :-S cheers, Chris