Hi, I have a simple file library type page, and am tweeking it a bit so that anonymous users don't see all the file upload options etc. I'd like to hide the "add file" link from anonymous viewers. On the dtml method that shows a file upload form, I changed the "View" permission to "Authenticated" users. On the file library page, I wrapped a <dtml-if> around the code that makes the link to the upload page: <dtml-if "AUTHENTICATED_USER.has_permission('View', upload)"> <a href="upload">Upload</a> </dtml-if> However, for unauthenticated users, Zope gives the error that "upload" doesn't exist. So apparently, if a user can't View an object, they also can't call .has_permission('View' object). Am I missing something? To work around, I just used a <dtml-if upload>, dtml-if has nice behaviour when objects aren't found. I'm using Zope 2.5. Cheers, Tom Rockwell
Tom Rockwell writes:
... <dtml-if "AUTHENTICATED_USER.has_permission('View', upload)"> <a href="upload">Upload</a> </dtml-if>
However, for unauthenticated users, Zope gives the error that "upload" doesn't exist. So apparently, if a user can't View an object, they also can't call .has_permission('View' object). Am I missing something? No, you do not miss something!
I am not sure whether I should call this a bug. Zope protects already the lookup of an object and not only the actual object access. While this would not be strictly necessary, it increases security as objects you do not have access rights to, cannot even be moved around. Your code above looks up "upload" and therefore, raises an "Unauthorized" exception which in some cases is turned into a "KeyError" (I am quite sure, this is a bug. One may argue, that I should not even know about the existence of an object I have no access rights to. But it is very confusing and (IMV) paranoid). You can put your test into a "<dtml-try>...<dtml-except>..." to work around this security feature. Dieter
participants (2)
-
Dieter Maurer -
Tom Rockwell