[Zope] problem testing for a permission
Jerome Alet
alet@unice.fr
Sat, 21 Apr 2001 18:47:13 +0200
Hi,
On Fri, Apr 20, 2001 at 09:05:50PM +0200, Dieter Maurer wrote:
> I am not sure whether it was you with whom I discussed a similar
> problem?
No, I don't think so.
> I could reproduce a problem when the user had not
> "Access Contents Information", but the "View" permission
> was not necessary.
>
> Same for your problem (I am using ZopeCVS, about 10 days old):
>
> "has_permission" requires "Access Contents Information"
> for its object attribute (a bug in my view), but no
> 'View' permission.
I've tried to give this permission on "mymethod" to anonymous
users but without luck.
> Jerome Alet writes:
> > ....
> > <dtml-if "AUTHENTICATED_USER.has_permission('View', mymethod)">
> > ...
> > but if I access the pages as an anonymous user then I've got
> > an Unauthorized exception instead of not having the "Members only" link.
> Either some strange effect with your Zope version or:
maybe. I'll try to update ASAP.
> * your "standard_html_xxx" is a DTML Document (! not method)
no it's a DTML method.
>
> * your user is defined in a subfolder "acl_user", i.e.
> above "mymethod"
not the case.
> then the additional check, that a user can not reach material
> outside the context of its user folder may hit you.
As a working solution I've given a proxy role of Manager to my
standard_html_footer method: it works fine but I don't really
understand what security problems may arise...
bye, and thanks to all for the help.
Jerome Alet