title_or_id permissions on Files
Hello, I have a folder full of files. One of these files has the "View" permission removed from all roles so that no one can view this file. I also have a python script which lists the files in the folder like this: for file in context.objectValues('File'): print file.title_or_id() This code fails when it tries to access the title_or_id method of the file with the "View" permission removed. However, if I change the python script to something like this: for file in context.objectValues('File'): print file.getProperty('title', file.getId()) Everything works. I believe that the restricting permission for the title_or_id method should be "Access Contents Information" not "View". However I am not sure where the title_or_id method of File is defined. Should I submit this as a bug? This has caused me trouble in the past and it seems like the second python example should not have to be used since the title_or_id method exists. Thanks, -Brian Brinegar ECN Web Systems Developer
On Wed, 2003-01-08 at 18:27, Brian R Brinegar wrote:
Hello,
[... good explanation of "View" permission affecting .title_or_id() ...]
Should I submit this as a bug? This has caused me trouble in the past and it seems like the second python example should not have to be used since the title_or_id method exists.
I think you should, yes. -- Ideas don't stay in some minds very long because they don't like solitary confinement.
Brian R Brinegar wrote at 2003-1-8 15:27 -0500:
... Everything works. I believe that the restricting permission for the title_or_id method should be "Access Contents Information" not "View". However I am not sure where the title_or_id method of File is defined. You can use my "DocFinder" product to find this out. --> <http://www.dieter.handshake.de/pyprojects/zope>
It may not have an explicite protection at all and be protected implicitly by the "Object Protection". The "Object Protection" is usually "Access Contents Information", but sometimes "View" or something different. Dieter
On Fri, 10 Jan 2003, Dieter Maurer wrote:
Brian R Brinegar wrote at 2003-1-8 15:27 -0500:
... Everything works. I believe that the restricting permission for the title_or_id method should be "Access Contents Information" not "View". However I am not sure where the title_or_id method of File is defined. You can use my "DocFinder" product to find this out. --> <http://www.dieter.handshake.de/pyprojects/zope>
It may not have an explicite protection at all and be protected implicitly by the "Object Protection".
The "Object Protection" is usually "Access Contents Information", but sometimes "View" or something different.
Very possible. In any case, is this the correct behavior? Show a method be protected if it isn't protecting any data? -Brian
Brian R Brinegar wrote at 2003-1-10 16:28 -0500:
Very possible. In any case, is this the correct behavior? Show a method be protected if it isn't protecting any data? You never know what people want to hide.
There have been many complaints that people can find out which "id"s are used in a Web site. "title"s provide much more detailed information. Personally, I am for openess, not only for open source but also for open Web sites (not that anyone can put spam on it or modify the content, but that anyone can see how it was done). I would not hide "id", "title", ... Dieter
On Sat, 11 Jan 2003 19:09:08 +0100, Dieter Maurer spoke forth:
Brian R Brinegar wrote at 2003-1-10 16:28 -0500:
Very possible. In any case, is this the correct behavior? Show a method be protected if it isn't protecting any data? You never know what people want to hide.
There have been many complaints that people can find out which "id"s are used in a Web site. "title"s provide much more detailed information.
Personally, I am for openess, not only for open source but also for open Web sites (not that anyone can put spam on it or modify the content, but that anyone can see how it was done). I would not hide "id", "title", ...
I would agree that id and title should be open, but what Brian's initial concern was about was that access to id and title are sometimes controlled by the "Access Contents Information" permission, and other times they are controlled by the "View" permission. The goal is for consistency with the use of the permissions. Not just in the core products, but some "standard" that people should follow when creating their own products. -Chris
participants (4)
-
Brian R Brinegar -
Christopher N. Deckard -
Dieter Maurer -
Leonardo Rochael Almeida