[Zope-CMF] security problem in standard_top_bar

marc lindahl marc@bowery.com
Mon, 15 Oct 2001 12:26:56 -0400


Hi,
I modified standard_top_bar.dtml so that it wouldn't show the portal title
twice when in the top level of the portal.  But there's a security problem
in some subfolders, like Member's folders, when a non-owner,manager,member
is browsing an anonymous page, who's enclosing folder isn't anonymousy
accessible.

I'm having trouble formulating the right security test for this.  Here's the
code snipped that gives an auth error:

  <td class="PortalTitle" width="40%" align="left"
      valign="middle">
   <h1><dtml-with portal_properties>&dtml-title;</dtml-with
   ><dtml-if "_.hasattr(this().aq_parent, 'portal_url')">
      <dtml-if name="Title">: &dtml-Title;</dtml-if></dtml-if></h1>
  </td>


So you see, at the top level of the CMF portal (which is always, in my case,
at least one level down from Zope root), the if fails, and you don't print
the title twice.