[Zope-CMF] Securing CMF with Page Templates

Kent Polk kent@goathill.org
Thu, 11 Apr 2002 19:39:29 -0500 (CDT)

Dieter Maurer wrote:
> kent writes:
>  > I figured out what is triggering the authentication request with
>  > Page Templates. You can access some file attributes correctly, but
>  > not others. For example, the following works :
>  > 
>  >   <td><a href="filelink"
>  >        tal:attributes="href string:${file/absolute_url}/view"
>  >        tal:content="file/Title">file title</a></td>
>  > 
>  > but most other object attributes, like size, bobobase_modification_time
>  > or getContentType trigger the authentication request, even though
>  > the user has the appropriate role (even local roles makes no
>  > difference here) :
>  > 
>  >  <td tal:content="file/size">file size</td>
> I can access the file size without any problem in a PageTemplate ...

Have you turned off 'Acquire permission settings' for 'view' to
that object, allowed view permission only for a User defined role,
and then logged in as a user who has that role (or set via local
roles) and then tried to access the file/size for that object from
outside of that object?

It fails every time for me.

It even fails with the default directory view and folder_contents
pt methods here, apparently because they are attempting to access
such information from outside the object.