[Zope-CMF] RFC: browser views and security
yuppie
y.2006_ at wcm-solutions.de
Sun Jan 15 16:10:48 EST 2006
Hi!
An other issue with converting skin scripts to browser views:
Scripts are untrusted code, the permissions are checked for all methods
called from scripts. Browser views are trusted code, they are only
protect by one permission for the complete view.
Complex forms like folder contents behave different depending on the
permissions the users have. E.g. some users can delete or rename
sub-objects while others can't.
The only solution I see is to protect all actions that need a different
permission than the form itself by checkPermission.
Am I missing something?
Cheers,
Yuppie
More information about the Zope-CMF
mailing list