[z3-five] Unexpectedly unprotected code
Chris Withers
chris at simplistix.co.uk
Mon Jan 29 22:35:36 CET 2007
Hi All,
I have a view registered as follows:
<browser:page
for="ISomething"
name="myview"
class="MyView"
template="myview.pt"
permission="cmf.ModifyPortalContent"
/>
The view class looks like this:
from Products.Five.browser import BrowserView
class MyView(BrowserView):
def __init__(self,context,request):
self.context = context
self.request = request
# point A
I've noticed two things about code running at point A by going to the
following url:
http://localhost:7001/mysite/anobject/@@myview
1. Code running at this point has no security context, so anything that
uses getSecurityManager will get an anonymous user. This is annoying.
Why is it like this?
2. More worrying, the code running at point A is "trusted". Am I being
unreasonable to expect that code only to run if the current user has
cmf.ModifyPortalContent?
The first implementation of this view did it's form processing in the
__init__ method. Because of point 2, that meant that any anonymous user
could edit objects they shouldn't have been able to. The code needed a
user object though, so thanks to point 1, it always did the wrong thing,
so even legitimate users ended up screwed ;-)
Can anyone explain a bit more about this and how you're supposed to get
around this?
Cheers,
Chris
More information about the z3-five
mailing list