[ZPT] RE: Permissions, ZPT and absolute_url
Jay, Dylan
djay@avaya.com
Tue, 3 Dec 2002 16:56:51 +1100
A bit more exploring reveals that I can call absolute_url on Folder object
or aquition path of Folder objects regardless of the fact that they all fail
to aquire a view permission. However if I try to do the same on another ZPT
or PythonScript etc, then I get the follwing error
"
<strong>Error Type: Unauthorized</strong><br>
<strong>Error Value: You are not allowed to access doRegistration in this
context</strong>
"
It seems that the security framework barfs to a traversal of anything else
other than folders???
> -----Original Message-----
> From: Jay, Dylan
> Sent: Tuesday, 3 December 2002 2:59 PM
> To: 'zope@zope.org'
> Subject: Permissions, ZPT and absolute_url
>
>
> I'm having a bit of trouble with security and ZPT. I am
> locking down my site such that only the cookie login page has
> anonymous view permission. This page however is used with the
> VirtualHost monster so all the links off it have something
> like tal:attributes="here/reg/register.html/absolute_url".
>
> Now from looking at the code absolute_url is a public method
> so shouldn't call be allowable without having to make
> register.html viewable to anonymous? Without ZPT proxy roles
> would be the answer but that isn't offer with ZPT :(
>
> ----
> Dylan Jay mailto:djay@avaya.com
> Avaya Communication Tel: +61-2-9352-8642
> Level 3, 123 Epping Road FAX: +61-2-9352 9224
> Nth Ryde NSW 2113 Mobile: 0409 606 171
> AUSTRALIA
>