On 01 Aug 2001 13:32:21 -0700, Michael R. Bernstein wrote:
On 01 Aug 2001 13:01:21 -0700, Michael R. Bernstein wrote:
On 01 Aug 2001 20:01:12 +0200, Joachim Werner wrote:
Supposedly, setting __allow_access_to_unprotected_subobjects__ = 0
I **might** have found an answer to this: [snip] Seems that "__allow_access_to_unprotected_subobjects__ = 0" is wrong. It should either be "1" or a dictionary of permissions ...
Does that help a bit?
Ok, so I tried to set '__allow_access_to_unprotected_subobjects__ = {}' in the class, but this *still* has no effect.
Correction: This *does* disallow access to attributes and methods from unrestricted code, ie:
<dtml-with TestInstance> <dtml-var method> </dtml-with>
raises an unauthorized exception (progress!). However, *traversing* to the unprotected methods is still being alowed, where I'm fairly certain that it shouldn't be.
Another correction <sigh>: I had a sneaking suspicion, so I went back and set '__allow_access_to_unprotected_subobjects__ = 0' again. Guess what, acces from restricted code is *not* being allowed <sigh>. So, Chris' sugestion was correct, after all. Well, I apologize if this has confused people. I simply assumed that if I could traverse to a method, then it was also accessible from restricted code (I'm not 100% certain that this wasn't a valid assumption). So, something wierd is happening WRT traversal here, whether it's a bug in Zope or my code. Anyone have suggestions on investigating further? Thanks, Michael Bernstein.