[z3-five] ZCML security declarations and properties
Tres Seaver
tseaver at palladion.com
Tue Apr 17 04:39:34 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Aspeli wrote:
> Hi guys,
>
> I have an interface that defines various properties:
>
> class IFoo(Interface):
>
> bar = schema.TextLine(...)
>
> class Foo(SimpleItem):
> implements(IBar)
>
> bar = property(...)
>
> I then have this in ZCML:
>
> <class class=".foo.Foo"
> <require
> permission="zope2.View"
> interface=".interfaces.IFoo
> />
> <require
> permission="cmf.ModifyPortalContent"
> set_schema=".interfaces.Foo
> />
> </class>
>
> However, if I try to do
>
> <span tal:content="context/getPhone">Phone number</span>
>
> in a page ViewPageTemplateFile in a Z3 view (i.e. trusted code), I get:
>
> Unauthorized: You are not allowed to access 'bar' in this context
>
> This is with verbose-security on, but not much help there...
>
> What am I missing here? Why is this happening even in trusted code?
'getPhone' is not declared as being part of the interface to which you
grant permission in the ZCML; your other error is assuming that a ZPT
is trusted code. You need to grant permissions for *all* attributes /
methods you access through ZPT, *except* those bound into the top-level
namespace (like 'options', 'request' etc.)
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGJDNm+gerLs4ltQ4RArh5AJ0XVqJtzb80izqgbZZ8s4Gs/e3HVQCgqyBe
M1yfmSvl1xT8mb524Ws9yKo=
=zBOg
-----END PGP SIGNATURE-----
More information about the z3-five
mailing list