[Zope-CMF] folder_contents.dtml security checks

[Chris Withers]

Hi :-)

This looks like it's supposed to redirect to the view of the folder if the
viewer doesn't have the access contents permission. Does this make sense?

<dtml-if "not portal_membership.checkPermission('Access contents
information'
                                               , this())">
 <dtml-call "RESPONSE.redirect(absolute_url())">
</dtml-if>

If it does, could someone explain it to me? :-)

For now, I'm taking it out in my refactored version...

Also, in the same file, I see a lot more explicit security checks to render
links and buttons to other skins methods. Is there any way these could be
factored out?

Hmmm, how about providing a mechanism such as (pseudo-code):
<dtml-var "folder_rename_form(render_as='button')">
...or...

<dtml-var "folder_rename_form(render_as='link')">

...in either case, it lets that object decide how its appropriate bit looks
and also allows _it_ to not display anything if the required permission
isn't present, so encapsulating the secuiryt with the logic.

Have I made sense? Is it possible?

cheers,

Chris

PS: The code in folder_contents.dtml is pretty hairy, isn't it? :-S