[Zope-dev] Methods with no __roles__ defined no always protected?
Hi, Just doing Squishdot for 2.2 when I noticed the following: The SquishSite class has a method called item_count() which is used on one of the management pages. It currently isn't protected by any permissions or __roles__ and yet it still works fine on the management screen concerned. I thought this sort of thing was supposed to throw up an unauthorized error in 2.2? cheers, Chris PS: It is now protected by a permission, but I can send anyone who cares a version which isn't... ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Methods with no __roles__ defined no always protected?
On Mon, 21 Aug 2000 12:15:24 +0100, Chris Withers [EMAIL PROTECTED] wrote: The SquishSite class has a method called item_count() which is used on one of the management pages. It currently isn't protected by any permissions or __roles__ and yet it still works fine on the management screen concerned. I thought this sort of thing was supposed to throw up an unauthorized error in 2.2? No, for two reasons: Firstly, I assume your management page is a dtml file on disk, not a dtml object stored in the ZODB. dtml files bypass *all* security checks. Secondly, all objects that inherit from OFS.Item.SimpleItem (that is, almost all high level objects) have the __allow_access_to_unprotected_subobjects__ flag set. Your method would be callable from through-the-web dtml too. The basic rules of Zope security are fairly easy; its the exceptions that cause the problems. Toby Dickenson [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Methods with no __roles__ defined no always protected?
Toby Dickenson wrote: Firstly, I assume your management page is a dtml file on disk, not a dtml object stored in the ZODB. dtml files bypass *all* security checks. That's nice :( Secondly, all objects that inherit from OFS.Item.SimpleItem (that is, almost all high level objects) have the __allow_access_to_unprotected_subobjects__ flag set. Your method would be callable from through-the-web dtml too. Even though it now has a permission attached to it? cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )