[ZPT] Permissions, ZPT and absolute_url
Jay, Dylan
djay@avaya.com
Wed, 4 Dec 2002 09:20:05 +1100
> -----Original Message-----
> From: Dieter Maurer [mailto:dieter@handshake.de]
> Sent: Wednesday, 4 December 2002 7:17 AM
> To: Jay, Dylan
> Cc: 'zpt@zope.org'
> Subject: Re: [ZPT] Permissions, ZPT and absolute_url
>
>
> Jay, Dylan writes:
> > I'm having a bit of trouble with security and ZPT. I am
> locking down my site
> > such that only the cookie login page has anonymous view
> permission. This
> > page however is used with the VirtualHost monster so all
> the links off it
> > have something like
> tal:attributes="here/reg/register.html/absolute_url".
> >
> > Now from looking at the code absolute_url is a public
> method so shouldn't
> > call be allowable without having to make register.html viewable to
> > anonymous? Without ZPT proxy roles would be the answer but
> that isn't offer
> > with ZPT :(
> Path expressions use "restrictedTraverse" for traversal.
>
> "restrictedTraverse" checks the object protection of all intermediate
> steps.
>
> Most object classes use "Access contents information" as
> object protection permission but some use "View"
> or other (more appropriate) permissions.
yes, looks like ZPT is object protected by the "View" permission :( I'm not
sure that's approriate either.
> Looks like ZPT is using some permission your annoymous does not have.
>
> I would go for a Python Script with an appropriate proxy role
> that computed the requested "absolute_url". It would be nicer,
So if I link to 10 other pages and need their url, I need 10 python scripts?
That's crazy. Anyone know if there is a good reason why a ZPT object
protection isn't public?
> when ZPT had proxy roles, but ....
Is there a good reason why it has no proxy roles?