Chris Withers wrote:
How should I got about petitioning for <dtml-var anobject aq_context> to become valid syntax?
There's one little (okay, big) problem with this idea: aq_context strips the security context. In fact, it could be used to confuse the security machinery. Let's say I'm Joe Hacker and I have set up membership at www.zope.org/Members/jhacker. I create a DTML method called index_html with this: <dtml-with Members> <dtml-with hathawsh aq_context> <dtml-call expr="index_html.manage_edit('1 0WN U')"> </dtml-with> </dtml-with> Line 2 might be written as <dtml-with hathawsh><dtml-with aq_context>. Now I may have accessed the member folder for hathawsh with the local roles that are supposed to be in effect only in my own folder. Zope acquires the local roles from anything in the path /Members/jhacker/Members/hathawsh/index_html. Normally the local roles would be determined by /Members/hathawsh/index_html, in which case Zope would find no local roles for jhacker. "aq_containment" should be fine, however. Shane