[Zope-dev] Acquisition ( slightly less Confusion ;-)
Shane Hathaway
shane@digicool.com
Thu, 17 Aug 2000 09:43:19 -0400
Chris Withers wrote:
> How should I got about petitioning
> for
> <dtml-var anobject aq_context> to become valid syntax?
There's one little (okay, big) problem with this idea: aq_context
strips the security context. In fact, it could be used to confuse the
security machinery.
Let's say I'm Joe Hacker and I have set up membership at
www.zope.org/Members/jhacker. I create a DTML method called index_html
with this:
<dtml-with Members>
<dtml-with hathawsh aq_context>
<dtml-call expr="index_html.manage_edit('1 0WN U')">
</dtml-with>
</dtml-with>
Line 2 might be written as <dtml-with hathawsh><dtml-with aq_context>.
Now I may have accessed the member folder for hathawsh with the local
roles that are supposed to be in effect only in my own folder. Zope
acquires the local roles from anything in the path
/Members/jhacker/Members/hathawsh/index_html. Normally the local roles
would be determined by /Members/hathawsh/index_html, in which case Zope
would find no local roles for jhacker.
"aq_containment" should be fine, however.
Shane