Having read Stuarts post with a similar context I was digging trough DCWorkflow with the debugger and found that
In Shared.DC.Scripts.Bindings._getContext(self), there seems to be a new security check: getSecurityManager().validate(parent, container, '', self)
Yep, this was a real hole in PythonScripts before; the script shouldn't bind the name 'container' if the user doesn't have access to the container.
does only allow Manager to access the container of the script that is called during the DCWorkflow transition.
Any ideas?
Two possibilities:
- If your script doesn't need to access container, then go to its
"Bindings" tab and clear the entry for "container". The security
check added in 2.6.3 won't take effect until the name is bound
(there is even a unit test for that case). - If your script *does* need access to the container (which will be
the "scripts" container of the workflow, IIRC), then you need to
give the script a proxy role of 'Manager'.Tres. -- =============================================================== Tres Seaver [EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
