[Zope-CMF] Securing CMF with Page Templates

Dieter Maurer dieter@handshake.de
Sun, 14 Apr 2002 22:26:26 +0200

Kent Polk writes:
 > Dieter Maurer wrote:
 > ...
 > >  > It fails every time for me.
 > > And it might be right:
 > > 
 > >   The effective permissions are the intersection
 > >   of those that both the executing user and the owner of the
 > >   executing script have.
 > > 
 > >   If the owner has no longer "View" permission, then even when
 > >   the executing user has, he will not be allowed to view.
 > > 
 > >   This is Zope's Trojan Horse protection...
 > Actually, I oversimplified the case a tiny bit (didn't know that
 > it would matter). The owner does have view permissions but is the
 > only other role that does, so the case still appears the same here.
In order to successfully view something you often need
"Access content information", too.

   That's because the viewing template often accesses properties
   of the viewed object which are often protected by
   "Access content information".