[z3-five] ZCML security declarations and properties
Martin Aspeli
optilude at gmx.net
Tue Apr 17 23:32:28 CEST 2007
Tres Seaver wrote:
> Can you examine your class in the debugger, and look at its __dict__?
> The interesting keys are going to be '__ac_permissions__' and
> 'bar__roles__' (if that one exists).
__ac_permissions__ has 'bar' in the list for 'View' (and nothing else).
bar__roles__ is:
['Anonymous',
'Manager',
'Reviewer',
'Reader',
'Editor',
'Anonymous',
'Manager',
'Reviewer',
'Reader',
'Editor',
'Reader',
'Manager',
'Anonymous']
Apart from the repetition, that is what I'd expect.
>>> your other error is assuming that a ZPT
>>> is trusted code. You need to grant permissions for *all* attributes /
>>> methods you access through ZPT, *except* those bound into the top-level
>>> namespace (like 'options', 'request' etc.)
>> I'm talking about a ZPT bound to a Z3 view with
>> Products.Five.browser.pagetemplatefile.ViewPageTemplateFile. In my
>> understanding, these are trusted code, at least I'm able to do all kinds
>> of otherwise "insecure" things inside them, but not access this bit of
>> my context content object.
>
> You are correct that the VPTF is trusted code -- my bad.
So then why does this matter at all?
/me scratches head...
Martin
More information about the z3-five
mailing list