[Zope-CMF] Securing CMF with Page Templates
Dieter Maurer
dieter@handshake.de
Fri, 12 Apr 2002 20:30:06 +0200
Kent Polk writes:
> Dieter Maurer wrote:
> > kent writes:
> > > I figured out what is triggering the authentication request with
> > > Page Templates. You can access some file attributes correctly, but
> > > not others. For example, the following works :
> > >
> > > <td><a href="filelink"
> > > tal:attributes="href string:${file/absolute_url}/view"
> > > tal:content="file/Title">file title</a></td>
> > >
> > > but most other object attributes, like size, bobobase_modification_time
> > > or getContentType trigger the authentication request, even though
> > > the user has the appropriate role (even local roles makes no
> > > difference here) :
> > >
> > > <td tal:content="file/size">file size</td>
> > I can access the file size without any problem in a PageTemplate ...
>
> Have you turned off 'Acquire permission settings' for 'view' to
> that object, allowed view permission only for a User defined role,
> and then logged in as a user who has that role (or set via local
> roles) and then tried to access the file/size for that object from
> outside of that object?
No, I did not.
> It fails every time for me.
And it might be right:
The effective permissions are the intersection
of those that both the executing user and the owner of the
executing script have.
If the owner has no longer "View" permission, then even when
the executing user has, he will not be allowed to view.
This is Zope's Trojan Horse protection...
Dieter