[Zope] Why I must set
security-property "Access contents information"
to get Data from Database?
Chris Withers
chris at simplistix.co.uk
Fri Feb 11 06:59:34 EST 2005
Dieter Maurer wrote:
> This would be the case, would ZPublisher use the standard traversal
> procedure.
> But, it fact, it does not do that. Instead, it traverses to
> the URL addressed target disregarding any security restrictions,
I'm afraid this is incorrect.
Create a folder called "hidden".
Change the Roles->Permission mapping on this such that only Manager can
do anything.
Now create a Page Template called "unhidden" within "hidden".
Change the Roles->Permission mapping on this such that Anonymous has
"Access contents information" and "View".
Now go to /hidden/unhidden in an unauthenticated browser...
Maybe you have some patches in place which affect this, but a normal
Zope server does not behave as you describe, and many people would be
pretty disturbed if it did...
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope
mailing list