[Zope] problem testing for a permission

Jerome Alet alet@unice.fr
Sat, 21 Apr 2001 18:47:13 +0200


Hi,

On Fri, Apr 20, 2001 at 09:05:50PM +0200, Dieter Maurer wrote:
> I am not sure whether it was you with whom I discussed a similar
> problem?

No, I don't think so.

>   I could reproduce a problem when the user had not
>   "Access Contents Information", but the "View" permission
>   was not necessary.
> 
> Same for your problem (I am using ZopeCVS, about 10 days old):
> 
>   "has_permission" requires "Access Contents Information"
>   for its object attribute (a bug in my view), but no
>   'View' permission.

I've tried to give this permission on "mymethod" to anonymous 
users but without luck.

> Jerome Alet writes:
>  > ....
>  > <dtml-if "AUTHENTICATED_USER.has_permission('View', mymethod)">
>  >   ...
>  > but if I access the pages as an anonymous user then I've got
>  > an Unauthorized exception instead of not having the "Members only" link.
> Either some strange effect with your Zope version or:

maybe. I'll try to update ASAP.

>  * your "standard_html_xxx" is a DTML Document (! not method)

no it's a DTML method.

> 
>  * your user is defined in a subfolder "acl_user", i.e.
>    above "mymethod"

not the case.

> then the additional check, that a user can not reach material
> outside the context of its user folder may hit you.

As a working solution I've given a proxy role of Manager to my
standard_html_footer method: it works fine but I don't really 
understand what security problems may arise...

bye, and thanks to all for the help.

Jerome Alet