[z3-five] Unexpectedly unprotected code
Chris Withers
chris at simplistix.co.uk
Mon Jan 29 23:57:03 CET 2007
Martin Aspeli wrote:
>> The first implementation of this view did it's form processing in the
>> __init__ method.
>
> That doesn't sound sensible...
Indeed, that's why I moved it to its own method. That method still seems
to need a doctstring to placate Zope 2's publisher, but am I right in
thinking that method is protected by the view's permissions?
> The anonymous user shouldn't be allowed
> to instantiate the view at all, because it's protected by
> permission="cmf.ModifyPortalContent".
Yes, I think this is the bit that surprised me.
Why can an anonymous user cause a view they have no rights to see to be
instantiated?
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the z3-five
mailing list