[Zope3-Users] Security in Code, example, why does this work?

Reinhold Strobl reinhold.strobl at gmx.net
Sun Apr 9 09:21:55 EDT 2006


Hi,

I am currently dealing with security and I found a "strange" behaviour of Zope.
Ok, I will some up it in short:

I have defined the following components:

1. A view component, which I have registered in the following way:

  <browser:page
	  for="*"
	  name="test3.html"
	  class="bookapp.mc.Mc"
	  template="a.pt"
	  permission="zope.Public"
	  >
	</browser:page> 

  So, there is a template a.pt, which calls a method of the class bookapp.mc.Mc

2. The base class of the view has got a mehtod, which is called from the
template. And the method looks like the following:

            ut = zapi.getUtility(IBookstore)
            ret = ut.test3()

 So the method of the base class of the view tries to get a Utility and then
calls a function of the utility

2. A utility, what it does, is not important, I have registered it the following
way:

  
  <utility
      provides=".interfaces.IBookstore"
      factory=".bookstore.Bookstore"
	  permission="zope.ManageContent"
      /> 


Now the important part: I have openend ZMI and do NOT login. And then I call the
view, which itself calls the utility and everything was o.k. But the problem was
I was not logged in, but the utility requires the permission
"zope.ManageContent". Why does it work??? Later I tried it with a content
component, and then I got a unauthorized exception. 

So can code always access everything, or not? 

Thanks a lot for your replies in advance!




More information about the Zope3-users mailing list