Max M writes:
.... <dtml-in getAllComments> <i><dtml-var author></i><br> ..... Traceback: .... Unauthorized: author
.... def addComment(self, comment='', author='' , RESPONSE=None): "Adds a comment" self.comments.append(aComment(comment, author)) self._p_changed = 1 # Trigger persistence RESPONSE.redirect('index_html') .... def getAllComments(self): "returns a list of all comments" return self.comments
Your "getAllComments" returns a list of bare (unwrapped) objects. This removes any possibility to acquire permissions. You should probably rewrite you "getAllComments" like this: def getAllComments(self): "returns a list of all comments" r= [] for c in self.comments: r.append(r.__of__(self)) This would require that "aComment" inherits from "Acquisition.Implicit" (or "Explicit"). Furthermore, your "aComment" does not specify any security rules. With the news Zope 2.2 security policy, this means access is prohibited. You may consider to provide security rules. There is a nice document from Brian which explains your options. Dieter