[Zope-Coders] Bug in SecurityPolicy?
Chris Withers
chrisw at nipltd.com
Tue Aug 5 18:04:02 EDT 2003
Hi,
This behaviour strikes me as wrong.
Add a folder, twiddle it's security settings so that anonymous people may
'access contents information' but not 'view'.
Add a ZPT into that contains, at a minimum:
<tal:x replace="here/title">
Now go to folder/your_zpt_name with an unauthenticated browser. You'll more than
likely get an auth box popup for the 'title' property access in the ZPT.
This strikes me as wrong. Why? Well, Folders have the equivalent of
security.setDefaultAccess("allow") in them. So, surely, the title attribute
(which is unprotected by the secrity machinery, 'cos it's a string) should be
accessible by an anonymous user with no roles?
VerboseSecurity currently tells me the user must have the View permission, which
I don't want the anonymous user to have.
Help!
Chris
More information about the Zope-Coders
mailing list