[Zope] RE: Globals.DTMLFile vs. DTML Method wrt security
Randall F. Kern
randy@spoke.net
Fri, 20 Apr 2001 18:01:48 -0700
oops, slipped on the keyboard, sorry about that partial post. here's
the full version:
DTMLFile objects in my python product can do things DTML=20
Method's can't, and that is causing some trouble.
In particular, dtml that is from a DTMLFile() attribute in a=20
python product can <dtml-var> stuff (like a DTML Document)=20
that doesn't have the correct permissions, and placing the same
<dtml-var> tag into a TWW DTML Method results in a login
dialog.
Is this by design? Is there a way for me to turn this off?
-Randy
Details:
For example, create a DTML Document (id secret) that only=20
managers can 'View' or 'Access contents information' on. =20
Then write a DTML Method that just does <dtml secret>. This=20
correctly causes a login dialog, and will only show the=20
contents of secret if you are authenticated with an account=20
that has the manager role.
Now write a python product somewhere, important bits look like this:
class Foo(OFS.Folder):
security =3D ClassSecurityInfo()
security.declareObjectProtected('View')
__class_init__ =3D Globals.default__class_init__
meta_type =3D "foo"
def __init__(self, id):
self.id =3D id
security.declareProtected('View', 'test')
test =3D Globals.DTMLFile('test', globals())
security.declareProtected('View', '__call__')
def __call__(self, client=3DNone, context=3D{}, **extras):
return apply(self.test, ((client, self), context),
extras)
then in test.dtml:
<dtml-var secret>
Now create an instance of Foo somewhere, and try calling=20
either the test method or the object itself. In both cases,=20
you'll see the contents of secret, without being logged in.