[Zope] Security quirk
Toby Dickenson
tdickenson@oriongroup.co.uk
Thu, 22 Jul 1999 12:56:59
I am seeing some unexplained differences between authorisation in
these two DTML methods:
Method A
<!--#call "manage_addFolder(id=_.str(10000-_.len(objectIds())),title='
testing')"-->
Method B
<!--#call "manage_addDTMLDocument(id=_.str(10000-_.len(objectIds())),
title='testing',file='testing')"-->
When viewed by an anonymous user, A gives the Unauthorized exception
that I was expecting, but B succeeds. This is the same in 1.10.3 and
in alpha 3.
I couldn't find anything specific in the documentation.... should
authorisation be checked in these cases?