dtml-in and skip_unauthorized not working?
I have a very similar problem to the one given by Jean Lagarde at http://lists.zope.org/pipermail/zope/2001-June/093739.html -- I have a number of Squishdot sites, and I'd like to automatically generate a list of Squishdot sites accessible to the current logged-in user. Here's the dtml method (MyFora) I'm using: <ul> <dtml-in findfora skip_unauthorized> <dtml-let item=sequence-item> <dtml-with item> <li><a href="<dtml-var absolute_url>"><dtml-var title></a> </dtml-with> </dtml-let> </dtml-in> </ul> and here's the Python script (findfora): from string import split, join published = {} meta_types = ('Squishdot Site',) root = None #lets setup the root we will find all our resources from if context.REQUEST.VirtualRootPhysicalPath: root = context.REQUEST.VirtualRootPhysicalPath else: root = ('',) root = context.restrictedTraverse(root) published=[] for obj in context.ZopeFind(root, obj_metatypes=meta_types, search_sub=1): id, obj = obj[0], obj[1] published.append(obj) return published For every authenticated user, it returns a *full* list of Squishdot sites, not just the ones they're authorized to view. Clicking on one of the unauthorized links pops up a login dialog, but I don't even want the links to show up at all (which I thought skip_unauthorized would take care of). As far as I can tell, neither method has any proxy roles attached. What detail did both Jean and I miss in our respective situations? Zope 2.3.2, by the way. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
Mike Renfro wrote:
I have a very similar problem to the one given by Jean Lagarde at http://lists.zope.org/pipermail/zope/2001-June/093739.html -- I have a number of Squishdot sites, and I'd like to automatically generate a list of Squishdot sites accessible to the current logged-in user.
Here's the dtml method (MyFora) I'm using:
<ul> <dtml-in findfora skip_unauthorized> <dtml-let item=sequence-item> <dtml-with item> <li><a href="<dtml-var absolute_url>"><dtml-var title></a> </dtml-with> </dtml-let> </dtml-in> </ul>
and here's the Python script (findfora):
from string import split, join
published = {} meta_types = ('Squishdot Site',) root = None
#lets setup the root we will find all our resources from if context.REQUEST.VirtualRootPhysicalPath: root = context.REQUEST.VirtualRootPhysicalPath else: root = ('',) root = context.restrictedTraverse(root)
published=[]
for obj in context.ZopeFind(root, obj_metatypes=meta_types, search_sub=1): id, obj = obj[0], obj[1] published.append(obj)
return published
For every authenticated user, it returns a *full* list of Squishdot sites, not just the ones they're authorized to view. Clicking on one of the unauthorized links pops up a login dialog, but I don't even want the links to show up at all (which I thought skip_unauthorized would take care of).
As far as I can tell, neither method has any proxy roles attached. What detail did both Jean and I miss in our respective situations? Zope 2.3.2, by the way.
-- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
Does anonymous by any chance have the "Access contents information" permission on these objects (or any others)? I suspect it must if it can display the titles. -- | Casey Duncan | Kaivo, Inc. | cduncan@kaivo.com `------------------>
On Thu, Aug 09, 2001 at 02:42:39PM -0600, Casey Duncan wrote:
Does anonymous by any chance have the "Access contents information" permission on these objects (or any others)? I suspect it must if it can display the titles.
Anonymous has Access contents defined in the root folder, and it's acquired throughout the site. Without that, I'd have considerable trouble querying any title or other properties anywhere, right? For the short term, I've put a permissions check in the python script before it appends to the object list. It works, at least. So the idea is that I'm falling back to Anonymous access, and since I have Access contents permission defined there, it's working? How would I change the permission it checks to 'View', for example? -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
Mike Renfro writes:
For the short term, I've put a permissions check in the python script before it appends to the object list. It works, at least. Many people ignore "ZopeFind". It's a pity! "ZopeFind" is very helpful.
It can filter on permission and provides much better control than "skip_unauthorized" (which simply can check for object access ("Access contents information" for most objects, "View" for a few specials). Dieter
On Fri, Aug 10, 2001 at 11:06:09PM +0200, Dieter Maurer wrote:
Many people ignore "ZopeFind". It's a pity! "ZopeFind" is very helpful.
It can filter on permission and provides much better control than "skip_unauthorized" (which simply can check for object access ("Access contents information" for most objects, "View" for a few specials).
Great. I saw that argument in the code for it, but it wasn't clear what format the parameter should take. Any examples? -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
Mike Renfro writes:
On Fri, Aug 10, 2001 at 11:06:09PM +0200, Dieter Maurer wrote:
Many people ignore "ZopeFind". It's a pity! "ZopeFind" is very helpful.
It can filter on permission and provides much better control than "skip_unauthorized" (which simply can check for object access ("Access contents information" for most objects, "View" for a few specials).
Great. I saw that argument in the code for it, but it wasn't clear what format the parameter should take. Any examples? There is a prominent example: the "Find" tab in Zope's ZMI.
Looking at it, you will find that: "obj_permission" is a permission name "obj_roles" is a list of roles If both are specified, "ZopeFind" find the objects where the specified roles have the given permission. The ZMI is a really rich repository of examples.... Often, they are even documented (as in the case of the "Find" tab).... Dieter
participants (3)
-
Casey Duncan -
Dieter Maurer -
Mike Renfro