[Zope3-Users] ForbiddenAttribute with defaultView directive
hass
hassan at dc4.so-net.ne.jp
Sat Sep 12 08:46:18 EDT 2009
Hi,
I have a ZCML declaration like this for the "StudentDisplay" view:
<z3c:pagelet
for="..IStudent"
name = "top.html"
class=".StudentDisplay"
permission = "student.edit"
layer = ...
/>
<browser:defaultView
for = "..IStudent"
name = "top.html"
layer = ...
/>
In the "StudentDisplay" view I have the following line:
orders = [ purchase.order for purchase in self.context['orders'] ]
Now, the "purchase" object does not have any security declarations (with
the "require" directive) and the above line(which is accessing the
"order" attribute ) should produce a ForbiddenAttribute. However, there
is something which I don't get.
when I access the "student_object/top.html" page, I do not get any
errors and "can" access the "order "attribute of the purchase object. On
the other hand when I don't explicitly enter the full URL and want to
take advantage of the defaultView directive ( when accessing
"student_object/" ), there is a ForbiddenAttribute.
The user is the same and has the exact same permissions.
Can anyone please explain to me this behavior.
Thankyou!
Hass
More information about the Zope3-users
mailing list