Re: [Zope] acessing parameters in a "helper class"
Max M writes:
.... <dtml-in getAllComments> <i><dtml-var author></i><br> ..... Traceback: .... Unauthorized: author
.... def addComment(self, comment='', author='' , RESPONSE=None): "Adds a comment" self.comments.append(aComment(comment, author)) self._p_changed = 1 # Trigger persistence RESPONSE.redirect('index_html') .... def getAllComments(self): "returns a list of all comments" return self.comments
Your "getAllComments" returns a list of bare (unwrapped) objects. This removes any possibility to acquire permissions. You should probably rewrite you "getAllComments" like this: def getAllComments(self): "returns a list of all comments" r= [] for c in self.comments: r.append(r.__of__(self)) This would require that "aComment" inherits from "Acquisition.Implicit" (or "Explicit"). Furthermore, your "aComment" does not specify any security rules. With the news Zope 2.2 security policy, this means access is prohibited. You may consider to provide security rules. There is a nice document from Brian which explains your options. Dieter
From: Dieter Maurer
You may consider to provide security rules.
There is a nice document from Brian which explains your options.
Yes there is indeed. I just hadn't noticed it before. I have just added: "__allow_access_to_unprotected_subobjects__=1" to the aComment class and everythings dandy. Just what the doctor ordered. Brian also mentions in his document that a "__roles__ = None" should do the same for the class, but it doesn't. Don't know why. class aComment: ' ' __allow_access_to_unprotected_subobjects__=1 # This works #__roles__= None # This doesn't def __init__(self, comment, author): self.comment = comment self.author = author Thanks for the info Max M Max M. W. Rasmussen, Denmark. New Media Director private: maxmcorp@worldonline.dk work: maxm@normik.dk ----------------------------------------------------- Specialization is for insects. - Robert A. Heinlein
participants (2)
-
Dieter Maurer -
Max M