[ZCM] [ZC] 170/ 3 Reject "No protection for PageTemplateFile"
Collector: Zope Bugs, Features, and Patches ...
zope-coders-admin@zope.org
Sat, 18 Jan 2003 09:52:06 -0500
Issue #170 Update (Reject) "No protection for PageTemplateFile"
** Security Related ** (Public)
Status Rejected, Zope/bug medium
To followup, visit:
http://collector.zope.org/Zope/170
==============================================================
= Reject - Entry #3 by chrisw on Jan 18, 2003 9:52 am
Status: Pending => Rejected
This one doesn't appear to be a bug as such, and it's pretty ancient now, so closing.
________________________________________
= Comment - Entry #2 by mcdonc on Aug 20, 2002 5:02 pm
Do you want to protect access to your *class* or to methods of your class? It appears to be the latter.
Here's something that works for me:
from AccessControl import ClassSecurityInfo
from OFS.SimpleItem import SimpleItem
from Products.PageTemplates.PageTemplateFile import PageTemplateFile
import Globals
class simple(SimpleItem):
security = ClassSecurityInfo()
security.declarePrivate('index_html')
index_html = PageTemplateFile('stuff', globals())
def manage_addSimple(self, id):
""" """
ob = simple()
self._setObject(id, ob)
ob.id = id
manage_addSimpleForm = PageTemplateFile('stuff', globals())
Globals.InitializeClass(simple)
________________________________________
= Request - Entry #1 by dirksen on Jan 24, 2002 7:54 pm
I want to shut off anonymous access to my class, but to my surprise, instances of PageTemplateFile leak through the security check. Here's my class
class Dummy:
....
__roles__ = ['Authenticated', 'Owner', 'Manager']
index_html = PageTemplateFile('F:/zope2/lib/.../view.zpt', globals())
....
Globals.InitializeClass(Dummy)
Visiting index_html gets through without an id check. If I change it to HTMLFile, the authen-box pops up right away. So I suspect PageTemplateFile has a bug.
==============================================================