[Zope-CMF] RFC: browser views and security

yuppie y.2006_ at wcm-solutions.de
Sun Jan 15 16:10:48 EST 2006


Hi!


An other issue with converting skin scripts to browser views:

Scripts are untrusted code, the permissions are checked for all methods 
called from scripts. Browser views are trusted code, they are only 
protect by one permission for the complete view.

Complex forms like folder contents behave different depending on the 
permissions the users have. E.g. some users can delete or rename 
sub-objects while others can't.

The only solution I see is to protect all actions that need a different 
permission than the form itself by checkPermission.


Am I missing something?


Cheers,

	Yuppie



More information about the Zope-CMF mailing list