[Zope] Re: Zope won't let me call aq_parent in ZWiki?

Chris Withers chrisw@nipltd.com
Thu, 29 Jun 2000 11:36:32 +0100


Hi Curtis,

Sorry for the late reply, I've been on holiday :S

Curtis Matthews wrote:
> 
> I've just recently noticed I'm not able to call the JumpSearch and
> RecentChanges methods in the Basic ZWiki because I'm not authorized to call
> a method called aq_parent. Has anyone else had this problem, and is there a
> solution?

This is a 'feature' of ZWiki according to Simon Michael, it's author, I
think it's a bug ;-)

Basically, ZWiki Pages (RecentChanges is a ZWiki Page) execute DTML
contained in themselves with the 'Anonymous' role, supposedly as a
security precaution.
This means that 'Anonymous' must have the 'Access Contents Information'
permission for RecentChanges and several other things to work.

This makes it practically impossible to have a Wiki that is secure :/

This is a hard problem to solve, see Jim Fulton's server side trojan
stuff for a detailed discussion. I don't like the current solution, it's
confusing.
A better, but not best ;-), solution would be to make ZWiki pages
execute with any proxy roles they have and only those roles, or even
have a seperate 'This Wiki Page has these roles' configuration box.

A workaround would be to make RecentChanges a DTML method rather than a
ZWiki page. You should just be able to copy and paste the contents.

HTH,

Chris