[ZPT] not grokking tal/metal security
Kevin Littlejohn
darius@obsidian.com.au
23 Apr 2002 02:16:52 +1000
Hi all,
I've been trying to use metal and tal for a new project, and I'm being
bitten by something that looks like a bug to me. Can someone please
explain this behaviour?
Two TAL pages:
macros:
<html metal:define-macro="page">
<head><title
tal:content="python:here.getDetails()['company_name']">company
Name</title></head>
<body><b tal:content="user/getUserName">Username</b> accessing <b
tal:content="python: here.getDetails()['company_name']">Company
Name</b><br>
<b>Links:</b><a href="/darius/">Home Page</a><br>
<hr>
<div metal:define-slot="main">Main Page</div></body></html>
index_html:
<html metal:use-macro="here/macros/macros/page">
<head><title>Welcome to Jet</title></head>
<body>
<div metal:fill-slot="main">
Current Choices:
<ul>
<li><a href="listUsers">List all Users</a></li>
</ul>
</div>
</body>
</html>
Now, if I refer to
tal:content="python:here/getDetails()['company_name']" in index_html, it
works - that method requires a certain set of privileges, which I have
when I'm logged in. But in macros, it seems that I've been demoted to
an Anonymous User - if I try and load index_html as it is above when
Anonymous User doesn't have "view" privileges, I get told "You are not
allowed to access macros in this context". If I try and fudge around
that, I can pretty much verify that by the time I'm rendering the macro,
I'm Anonymous User, instead of myself.
Am I doing something wrong?
I'm striking a similar, though different, problem with a line that
reads:
tal:content="python:here.customer(request.user_cid).getDetails()", where
here.customer() returns a Customer object, which has a getDetails()
method - by the time I'm calling the getDetails method, I'm Anonymous
User again, even though the call to here.customer() is made as me.
Confused,
KevinL
--
Internet techie Obsidian Consulting Group
Phone: +613 9653 9364 Fax: +613 9354 2681
http://www.obsidian.com.au/ darius@obsidian.com.au