[Zope-dev] Bugs in new Security Stuff :P (part1)
R. David Murray
bitz@bitdance.com
Tue, 22 Aug 2000 08:31:18 -0400 (EDT)
On Tue, 22 Aug 2000, Chris Withers wrote:
> Why are they totally immune to the security stuff? It gets really
> confusing when something works fine in a management screen and yet
> breaks everywhere else, especially when it's not throwing a security
> error (more in part II ;-)
>
> So, why is it like this?
My guess: because part of the Zope security model is that if you
have access to the file system (ie: external method, python product)
you are allowed to do anything. It's only when you try to call
that anything from dtml that security gets involved (unless you
code the security yourself).
Under the new security model of "denied unless explicitly permitted",
the current behavior of on-disk dtml methods is arguably wrong.
--RDM