[z3-five] Unexpectedly unprotected code

Martin Aspeli optilude at gmx.net
Mon Jan 29 22:57:49 CET 2007 

Chris Withers wrote:

> class MyView(BrowserView):
> 
>      def __init__(self,context,request):
>          self.context = context
>          self.request = request
>          # point A
> 
> 
> I've noticed two things about code running at point A by going to the
> following url:
> 
> http://localhost:7001/mysite/anobject/@@myview
> 
> 1. Code running at this point has no security context, so anything that 
> uses getSecurityManager will get an anonymous user. This is annoying. 
> Why is it like this?

Because you're in __init__(). Try the same thing in a content object, 
you won't have one there either.

> 2. More worrying, the code running at point A is "trusted". Am I being
> unreasonable to expect that code only to run if the current user has
> cmf.ModifyPortalContent?

All code inside views is trusted. It's not TTW code, so I think that's 
reasonable. This is Zope 2, remember, so security proxies start at the 
TTW/filesystem boundary.

> The first implementation of this view did it's form processing in the
> __init__ method. Because of point 2, that meant that any anonymous user
> could edit objects they shouldn't have been able to.

That doesn't sound sensible... The anonymous user shouldn't be allowed 
to instantiate the view at all, because it's protected by 
permission="cmf.ModifyPortalContent". At least that's my understanding. 
It may be that __init__() gets called first, though...

In any case, form processing in __init__() is not very pretty, I think 
it makes much more sense to do that in __call__().

> Can anyone explain a bit more about this and how you're supposed to get
> around this?

Put code in __call__(). Don't use 'template' in ZCML, but instead do

from Products.Five.browser import BrowserView
from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile

class Foo(BrowserView):

   template = ViewPageTemplateFile('myview.pt')

   def __call__(self):
       # process from self.context and self.request
       return self.template()

Martin

More information about the z3-five mailing list