[Zope-dev] PageTemplateFile vs. Bindings vs. Security

Dieter Maurer dieter at handshake.de
Tue Mar 23 15:45:32 EST 2004


Jamie Heilman wrote at 2004-3-22 16:42 -0800:
> ...
>So here's the questions I have for you all... is there a way to
>declare appropriate security on the bindings that are screwing me
>right now from within my product code so that I can selectively poke
>holes to allow container access where needed,

One approach (hopefully quite near to your wishes) looks like:

  Protect your object by a role, say "Manager".
  This looks like "__roles__ = ('Manager',)"

  Give your "PageTemplateFile" the "Manager" proxy role:
  "_proxy_roles = ('Manager',)"

  Make your "PageTemplateFile" unowned: "_owner = None".

Instead of "Manager", you can use another role that you do not
assign any permissions.


Alternative:
An incredibly long time ago, Evan published a product
"XXXPythonScripts". These are "PythonScripts" without security
checks. Looking at the differences between these two products
may show what is needed to get security unaware "PageTemplateFiles".

-- 
Dieter



More information about the Zope-Dev mailing list