Aleksander Salwa wrote:
Few days ago I found that on site that I'm currently working on, everybody can add DTMLMethods and Documents (and maybe do more, I haven't checked yet, but I think it's bad enough !) by simply entering URL http://www.mysite.com/manage_addDTMLMethod?id=q1&title=qq1&file=qqq1
You're right. It's because of a "legacy" issue. Here's a quick patch that plugs the hole: Index: ProductContext.py =================================================================== RCS file: /cvs-repository/Zope2/lib/python/App/ProductContext.py,v retrieving revision 1.27 diff -u -r1.27 ProductContext.py --- ProductContext.py 2000/11/20 15:36:35 1.27 +++ ProductContext.py 2000/12/08 18:46:38 @@ -195,7 +195,7 @@ else: name=method.__name__ if not OM.__dict__.has_key(name): setattr(OM, name, method) - setattr(OM, name+'__roles__', pr) + setattr(OM, method.__name__+'__roles__', pr) if type(initial) is tt: name, initial = initial else: name=initial.__name__ This is not perfect, however. I'm working on a better solution. Shane