[Zope-PTK] User Sources and ZClasses (Building ZPatterns)
Lalo Martins
lalo@hackandroll.org
Thu, 18 May 2000 06:26:15 -0300
On Wed, May 17, 2000 at 07:41:46PM -0400, Kevin Dangoor wrote:
>
> > - Properties of a user is stored with the user (how?)
>
> You could make a SheetProvider (I'm not up to speed on that yet). Or, you
> could probably just create a ZClass for your users and manage the user's
> properties using standard ZClass mechanisms.
That's exactly what I planned to do, but I stumbled on an
important problem - I can't use the permission framework to
protect the user's password. I want the password to be a
property in a property sheet, but property sheets and
permissions don't work well together in Zope 2.1.x - if I allow
other users to create arbitrary DTML, they can retrieve the
passwords of any user with trivial code
(<dtml-var "Users[username].password">). I posted to zope and
zope-dev about this problem a while ago, to no avail.
Looks like the permission I set inside the property sheet only
affects _editing_ the properties, not reading them.
Of course I could just go ahead and not give users permission
to create arbitrary DTML, but I don't want to have to change
the whole user source (and probably take the site offline)
later when this is fixed.
[]s,
|alo
+----
--
Hack and Roll ( http://www.hackandroll.org )
News for, uh, whatever it is that we are.
http://www.webcom.com/lalo mailto:lalo@hackandroll.org
pgp key in the personal page
Brazil of Darkness (RPG) --- http://zope.gf.com.br/BroDar