[Zope] ZPT can't read protected info retrieved by authorized script
Toni Vicens
toni_vicens at terra.es
Thu Jul 22 04:25:45 EDT 2004
Hi,
I'm new to Zope development and I'm quite stuck with the following
problem:
I'm building a website with Zope, postgresql and exUserFolder.
One of the tables of the postgresql DB stores addresses from different
website users.
I have built a ZSQL method which retrieves users addresses from that
table taking the user identifier as the input variable.
The thing is that I would like to assure that each user can only read
his own addresses.
To accomplish this I have done the following:
I have put the ZSQL method in a folder (sql/restricted) where only
owners and managers have “access content information” and “view”
permissions (my users have member roles).
Then I have written a python script with “owner” proxy role with the
following code:
request = container.REQUEST
user = request.AUTHENTICATED_USER
regs = container.sql.restricted.my_zsql_method(user_id=user.getUserId())
The problem is that when I call this method from a Page Template I get
the following error:
Unauthorized: You are not allowed to access 'attribute1' in this
context.
Finally I wrote an external method with the following code:
user = REQUEST.AUTHENTICATED_USER
addresses = self.sql.restricted.my_zsql_method(user_id=user.getUserId())
cp_addresses = []
for address in addresses:
address_dict = {}
for key in addresses._schema.keys():
address_dict[key]=address_dict [key]
cp_addresses.append(address_dict)
return cp_addresses
and this works.
But there MUST be an easier and more efficient way of doing it!!!
Does someone know what I'm missing?
Thanks a lot,
Toni.
More information about the Zope
mailing list