[ZPT] Re: Please help: No protection for PageTemplateFile!!
Evan Simpson
evan@zope.com
Tue, 29 Jan 2002 12:02:19 -0500
Dirksen Lau wrote:
> I want to shut off anonymous access to my class, but to my surprise,
> instances of PageTemplateFile leak through the security check, even
> the id of which starts with 'manage_'! Here's my class
Thanks for uncovering this. There were some bad security declarations
in both Script.py and PageTemplateFile.py. Here are the diffs:
/Zope/lib/python/Shared/DC/Scripts/Script.py
44d43
< ('View', ('__call__','','ZPythonScriptHTML_tryAction')),
/Zope/lib/python/Products/PageTemplates/PageTemplateFile.py
46,47d45
< security.declareObjectProtected('View')
< security.declareProtected('View', '__call__')
(in other words, just delete those lines from those files)
These overrode any attempt to set security at the container level.
Thanks,
Evan @ Zope