[Zope] Strange behaviour on authorization
R. David Murray
bitz@bitdance.com
Mon, 21 Aug 2000 14:05:52 -0400 (EDT)
On Mon, 21 Aug 2000, Casey Duncan wrote:
> The fact that your external method returns a class instance explains why it
> fails where it does instead of in the dtml-let statement. It looks as though
> Zope is allowing the object to be returned, but balking when you try to
> access it. I think I will need to see exactly what your external method and
> the returned object are doing before I can try explaining this behavior.
In 2.2 the security model is tightened. To use returned objects of
your special-purpose classes from dtml, you have to tell Zope that it is
OK to do so. Check out Brian's new-security-model guide at
http://www.zope.org/Documentation/How-To/ProductAuthorUpdateGuide
(I think he also has newer stuff in the security chapter of the book
but I haven't looked at it yet).
I think what you want to do is add
__allow_access_to_unprotected_subobjects__=1
as a class variable to the class in your external method. But read the
guide so you understand the security consquences of doing that.
--RDM