[z3-checkins] Re: r5852 - in z3/Five/trunk: . demo/FiveViewsDemo
tests tests/products/FiveTest
Philipp von Weitershausen
philipp at weitershausen.de
Mon Aug 2 23:15:30 MEST 2004
dreamcatcher at codespeak.net wrote:
...
Btw: this is merging dc-experiments branch...
> - browser:page now correctly handles the allow_attributes and protects
> the named attributes on the view with the same permission used for
> the view (this sounds a bit strange, doesn't it?)
Actually, it doesn't. This is primarily useful for views providing an
interface (although I think it's handled there already automatically).
Imagine widgets: input widgets provide IInputWidget. To look up the
widget, you need a certain permission. But the view will be security
proxied and still you should be allowed to call certain methods of the
view... The public methods of the view should be protected by the same
permission that is required to look up the view in the first place,
don't you think?
Philipp
More information about the z3-checkins
mailing list