En/na Tres Seaver ha escrit:
Dieter Maurer wrote:
Santi Camps wrote at 2004-10-19 15:05 +0200:
... Error Type: Unauthorized* *Error Value: The container has no security assertions. Access to 'get_sum_of_values' of (Adapter instance at 40ae6ac0) denied.*
This tells you that the container containing "get_sum_of_values" does not have security assertions. Is this wrong?
The container (the class Test.Test in Santi'a product) does have security assertions for *itself*:
class Test(OrderedFolder): """ Test """
meta_type = 'AccessControl Test'
security = ClassSecurityInfo() security.declareObjectProtected('View')
However it makes no assertion for the attribute 'get_sum_of_values':
############################################################ def get_sum_of_values(self): """ """ return self.value1 + self.value2
AFAICT, the new behavior is perfectly correct here: absent either an explicit permisison declaration for 'get_sum_of_values', or a "blanket grant" for unprotected subobjects (e.g, 'security.setDefaultAccess(1)'), the template which fails *should* fail; the fact that it used to succeed was merely a security hole.
Tres.
Hi again, Adding a security.declareProtected('View', 'get_sum_of_values') results in the same error. Anyway, I can't understand a behaviour that allows to access a method directly from the URL and crashes when the access is done from a ZPT. If what you want to do is that all methods without explicit permission declaration be considered private, direct access from an URL should also raise an Unauthorized error, I think. On the other hand, I don't think that current code could be considered a security hole. If a method is unprotected, then the protection of the object itself is applied. I like it. But I understand that this is a personal opinion. I supose the change is due to some security hole found. Regards Santi Camps http://www.earcon.com