[Zope] Authorization failure

Martijn Pieters mj@antraciet.nl
Sun, 03 Oct 1999 22:53:13 +0200


At 21:59 3-10-99 , Sture Lygren wrote:
>Hello again!
>
>Your answer helped get the method working - thanks!
>
>But now I'm stuck with a new problem (as always). I try to use the
>method quoted below to show private and public folders for a user.
>Trouble is all I get is the '+' and '-' signs on expandable and
>collapsabe folders, no icon and no text. Only the manager get the
>correct icons and text shown. Why is this so?
>
>DTML-method show_tree accessed from index_html (also a DTML-method):
>
><dtml-tree branches_expr="objectValues(['Folder','File'])" sort=id
>skip_unauthorized=1>
><dtml-if "AUTHENTICATED_USER.has_role('Owner',_.getitem('id',1)) or
>AUTHENTICATED_USER.has_permission('View',_.getitem('id',1))">
>  <dtml-if "meta_type=='Folder'">
>   <img src="<dtml-var SCRIPT_NAME>/<dtml-var icon>" border="0">
><dtml-var id>
>  <dtml-else>
>   <a href="<dtml-var tree-item-url>"><img src="<dtml-var
>SCRIPT_NAME>/<dtml-var icon>" border="0"> <dtml-var id></a>
>  </dtml-if>
></dtml-if>
></dtml-tree>

That's because you are trying to assess the permissions in the context of 
_.getitem('id',1), which will return the id of the currently assessed 
object in the tree. This is a string, not, as it should be, an object.

Try this:

<dtml-tree branches_expr="objectValues(['Folder','File'])" sort=id
skip_unauthorized=1>
<dtml-if "AUTHENTICATED_USER.has_role('Owner',this()) or
AUTHENTICATED_USER.has_permission('View',this())">
  <dtml-if "meta_type=='Folder'">
   <img src="<dtml-var SCRIPT_NAME>/<dtml-var icon>" border="0">
<dtml-var id>
  <dtml-else>
   <a href="<dtml-var tree-item-url>"><img src="<dtml-var
SCRIPT_NAME>/<dtml-var icon>" border="0"> <dtml-var id></a>
  </dtml-if>
</dtml-if>
</dtml-tree>

but I think you can leave out the has_role test completely, because the 
skip_unauthorized will only return objects the current visitor has access 
to anyway.

--
Martijn Pieters, Web Developer
| Antraciet http://www.antraciet.nl
| T: +31 35 7502100 F: +31 35 7502111
| mj@antraciet.nl http://www.antraciet.nl/~mj
| PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
---------------------------------------------