[ZPT] not grokking tal/metal security

Kevin Littlejohn darius@obsidian.com.au
23 Apr 2002 10:31:51 +1000


On Tue, 2002-04-23 at 02:21, Florent Guillaume wrote:
> Does the object you're returning have any security assertion in its class,
> like security.declareObjectProtected('View') ?

Yes, it does - at the moment, the object itself is protected thus:

    security = ClassSecurityInfo()
    security.declareObjectPublic()

Each method is protected by specific permissions, but my role when I'm
logged in (as a Manager) includes those permissions.  If I declare the
methods to be public, then it works, because by the time the object's
methods are called, I'm back down to Anonymous User.

I can't have this stuff declared public, unfortunately - I need to code
in some checks to be sure that the user accessing the site is allowed to
do certain things on those objects.

KJL

> 
> Florent
> 
> Kevin Littlejohn  <darius@obsidian.com.au> wrote:
> > Hi all,
> > 
> > I've been trying to use metal and tal for a new project, and I'm being
> > bitten by something that looks like a bug to me.  Can someone please
> > explain this behaviour?
> > 
> > Two TAL pages:
> > 
> > macros:
> > <html metal:define-macro="page">
> > <head><title
> > tal:content="python:here.getDetails()['company_name']">company
> > Name</title></head>
> > <body><b tal:content="user/getUserName">Username</b> accessing <b
> > tal:content="python: here.getDetails()['company_name']">Company
> > Name</b><br>
> > <b>Links:</b><a href="/darius/">Home Page</a><br>
> > <hr>
> > <div metal:define-slot="main">Main Page</div></body></html>
> > 
> > index_html:
> > <html metal:use-macro="here/macros/macros/page">
> > <head><title>Welcome to Jet</title></head>
> > <body>
> > <div metal:fill-slot="main">
> > Current Choices:
> > <ul>
> >     <li><a href="listUsers">List all Users</a></li>
> > </ul>
> > </div>
> > </body>
> > </html>
> > 
> > Now, if I refer to
> > tal:content="python:here/getDetails()['company_name']" in index_html, it
> > works - that method requires a certain set of privileges, which I have
> > when I'm logged in.  But in macros, it seems that I've been demoted to
> > an Anonymous User - if I try and load index_html as it is above when
> > Anonymous User doesn't have "view" privileges, I get told "You are not
> > allowed to access macros in this context".  If I try and fudge around
> > that, I can pretty much verify that by the time I'm rendering the macro,
> > I'm Anonymous User, instead of myself.
> > 
> > Am I doing something wrong?
> > 
> > I'm striking a similar, though different, problem with a line that
> > reads:
> > tal:content="python:here.customer(request.user_cid).getDetails()", where
> > here.customer() returns a Customer object, which has a getDetails()
> > method - by the time I'm calling the getDetails method, I'm Anonymous
> > User again, even though the call to here.customer() is made as me.
> > 
> > Confused,
> > KevinL
> > -- 
> > Internet techie                    Obsidian Consulting Group
> > Phone: +613 9653 9364                    Fax: +613 9354 2681
> > http://www.obsidian.com.au/           darius@obsidian.com.au
> > 
> > 
> > 
> > _______________________________________________
> > ZPT mailing list
> > ZPT@zope.org
> > http://lists.zope.org/mailman/listinfo/zpt
> > 
> 
> 
> -- 
> Florent Guillaume, Nuxeo (Paris, France)
> +33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com
> 
> 
> _______________________________________________
> ZPT mailing list
> ZPT@zope.org
> http://lists.zope.org/mailman/listinfo/zpt
> 
-- 
Internet techie                    Obsidian Consulting Group
Phone: +613 9653 9364                    Fax: +613 9354 2681
http://www.obsidian.com.au/           darius@obsidian.com.au