Methods with no __roles__ defined no always protected?
Hi, Just doing Squishdot for 2.2 when I noticed the following: The SquishSite class has a method called item_count() which is used on one of the management pages. It currently isn't protected by any permissions or __roles__ and yet it still works fine on the management screen concerned. I thought this sort of thing was supposed to throw up an unauthorized error in 2.2? cheers, Chris PS: It is now protected by a permission, but I can send anyone who cares a version which isn't...
On Mon, 21 Aug 2000 12:15:24 +0100, Chris Withers <chrisw@nipltd.com> wrote:
The SquishSite class has a method called item_count() which is used on one of the management pages. It currently isn't protected by any permissions or __roles__ and yet it still works fine on the management screen concerned.
I thought this sort of thing was supposed to throw up an unauthorized error in 2.2?
No, for two reasons: Firstly, I assume your management page is a dtml file on disk, not a dtml object stored in the ZODB. dtml files bypass *all* security checks. Secondly, all objects that inherit from OFS.Item.SimpleItem (that is, almost all high level objects) have the __allow_access_to_unprotected_subobjects__ flag set. Your method would be callable from through-the-web dtml too. The basic rules of Zope security are fairly easy; its the exceptions that cause the problems. Toby Dickenson tdickenson@geminidataloggers.com
Toby Dickenson wrote:
Firstly, I assume your management page is a dtml file on disk, not a dtml object stored in the ZODB. dtml files bypass *all* security checks.
That's nice :(
Secondly, all objects that inherit from OFS.Item.SimpleItem (that is, almost all high level objects) have the __allow_access_to_unprotected_subobjects__ flag set. Your method would be callable from through-the-web dtml too.
Even though it now has a permission attached to it? cheers, Chris
participants (2)
-
Chris Withers -
Toby Dickenson