[Zope-CMF] Securing CMF with Page Templates

kent kent@goathill.org
10 Apr 2002 23:46:19 GMT

On 8 Apr 2002 16:10:01 -0500, Kent Polk wrote:
> Shane Hathaway wrote:
>> First, you can either assume that a "client" is a set of users or one
>> user.  I would make the assumption that a client is a set of users. 
>> With that in mind, it would make sense to create a new folder for each
>> client independent of member folders.
>> In other words, just use Zope security controls.  CMF tries hard to make
>> sure they work like they always have.
> Old topic, but new wrinkle for Zope 2.5.0 and/or CMF1.2 and Page
> Templates.

(problem with p.t. viewing a folder with role-constrained files or
folders in it)

> Interestingly, when the authentication fails, the file
> requested is still downloaded...  Seems clear that it's a folder
> view request that is triggering the authentication request.

I figured out what is triggering the authentication request with
Page Templates. You can access some file attributes correctly, but
not others. For example, the following works :

  <td><a href="filelink"
       tal:attributes="href string:${file/absolute_url}/view"
       tal:content="file/Title">file title</a></td>

but most other object attributes, like size, bobobase_modification_time
or getContentType trigger the authentication request, even though
the user has the appropriate role (even local roles makes no
difference here) :

 <td tal:content="file/size">file size</td>

And one can select the above anchor to the view method for the
object, and be able to access the object's attributes there.

Any idea as to what needs to be changed here to fix this?