[ZPT] No proxy roles in page templates? What do I do then?
John Morton
jwm@plain.co.nz
Sun, 7 Oct 2001 21:04:05 +1200
On Sunday 07 October 2001 20:23, John Morton wrote:
> >> I just discovered that page templates don't have proxy roles. From t=
he
> >> fact that nobody is complaining, I assume there must be some new, ZP=
T
> >> way of doing things that doesn't require proxy roles... I hope there=
is.
> >> Anyone wants to tell me what it is? Seems to me that this severely
> >> limits how secure I can make products...
> >
> > Use a Script. Templates and Scripts cooperate quite well.
>
> I've just been trying this strategy, switching from a similar arrangeme=
nt
> using DTML methods and have discovered that while I can add a proxy rol=
e to
> a DTML method if I have that role as a standard role, or a local role, =
I
> can't add a role that I only posess as a local role to a Python Script =
-
> using Zope 2.3.3 with all the most recent hotfixes.
>
> I've had a quick glance at the code comparing manage_proxy and friends =
in
> both the DTML method source and PythonScripts, and I can't seen any obv=
ious
> differences so I presume this behaviour isn't intentional. Does it work
> properly in Zope 2.4.x?
No, wait - the _validateProxy method in DTMLMethod.py does this:
if r and not user(self, (r,)):
user=3DNone
break
While PythonScripts.py does this:
if r and not user(None, (r,)):
user=3DNone
break
Is this deliberate? Shouldn't the behaviour be consistant across all=20
method/script types?=20
John