Bugs in new Security Stuff :P (part1)
Right, firstup this thing about HTMLFile's which form part of the management interface. Why are they totally immune to the security stuff? It gets really confusing when something works fine in a management screen and yet breaks everywhere else, especially when it's not throwing a security error (more in part II ;-) So, why is it like this? cheers, Chris
On Tue, 22 Aug 2000, Chris Withers wrote:
Why are they totally immune to the security stuff? It gets really confusing when something works fine in a management screen and yet breaks everywhere else, especially when it's not throwing a security error (more in part II ;-)
So, why is it like this?
My guess: because part of the Zope security model is that if you have access to the file system (ie: external method, python product) you are allowed to do anything. It's only when you try to call that anything from dtml that security gets involved (unless you code the security yourself). Under the new security model of "denied unless explicitly permitted", the current behavior of on-disk dtml methods is arguably wrong. --RDM
"R. David Murray" wrote:
Under the new security model of "denied unless explicitly permitted", the current behavior of on-disk dtml methods is arguably wrong.
I think that's true, so what's a good way to tackle the problem? cheers, Chris
participants (2)
-
Chris Withers -
R. David Murray