[z3-five] Unexpectedly unprotected code

[Philipp von Weitershausen]

Chris Withers wrote:
> 1. Code running at this point has no security context, so anything that 
> uses getSecurityManager will get an anonymous user. This is annoying. 
> Why is it like this?

Sidnei already said it: it's traversal, there's no security context 
determined yet.

> 2. More worrying, the code running at point A is "trusted". Am I being
> unreasonable to expect that code only to run if the current user has
> cmf.ModifyPortalContent?

No, you're simply not getting the difference between __init__ and a 
__call__ on a view :).

> The first implementation of this view did it's form processing in the
> __init__ method.

That's typically not considered good style. As Sidnei said already, the 
__init__ of a view is invoked when the view is looked up. That happens 
during traversal. There's no certainty that the view will be the last 
thing in the traversal chain or that the view will actually end up being 
called. For example, the view might not be accessible to the current 
user due to insufficient privileges.

Therefore doing stuff in __init__ that changes the state of the app is 
asking for trouble.

> Because of point 2, that meant that any anonymous user
> could edit objects they shouldn't have been able to. The code needed a 
> user object though, so thanks to point 1, it always did the wrong thing, 
> so even legitimate users ended up screwed ;-)
> 
> Can anyone explain a bit more about this and how you're supposed to get
> around this?

Actual view code belongs in __call__.

-- 
http://worldcookery.com -- Professional Zope documentation and training
Next Zope 3 training at Camp5: http://trizpug.org/boot-camp/camp5