Andy McKay wrote:
Well if an anonymous user was allowed access to none of your site except standard_error_message that would sound like a security hole some person with a warped mind on these issues could use.
I don't think so... the site designer just has to remember that object is anonymously viewable, as with any other anonymously viewable object. If it's not anonymously viewable, fair enough, throw the hard coded error _saying_ standard_error_message wasn't viewable by anonymous... ...besides, telling them the path where Zope is installed on your server, which the error message does, is probably a much worse security 'hole'. I don't like the way Zope does this for _all_ standard_html_error's, especially as it tacks the error on the end of the HTML in production mode, thus generating technically incorrect HTML (I think? ;-) cheers, Chris