[Zope] resolve_url and authorization
Ingo Assenmacher
ingo.assenmacher@post.rwth-aachen.de
Wed, 12 Apr 2000 13:00:40 +0200 (MEST)
Hi.
Thanks for your response.
Am 12-Apr-00 schrieb Itamar Shtull-Trauring:
>> resolve_url uses the exact same publishing machinery as calling a URL
>> through the web; it does _not_ bypass the security machinery. If you do
>> not have enough privledge to access to an object, then you will get an
>> Unauthorized, just like when you call it through the web.
>
> Additionally, if the object does not have an index_html, it may acquire it -
> so you also have to make sure that the index_html it might acquire is
> viewable by the user you're running as.
I *did* test this with several users, including a top-level defined user with
Manager role and priviledges. The result was absolutely the same. This was what
raised my question. Since the Manager role is granted all permissions, I *am*
somewhat confused.
I thought: maybe I have made a mistake within my objects somewhere and tried
to use "resolve_url()" on DTML-Documents and tried to access their 'id'
attribute with:
<dtml-in "Catalog(meta_type='DTML Document')">
<dtml-with "resolve_url(getpath(data_record_id_), REQUEST)">
<dmtl-var id>
</dtml-with>
</dtml-in>
which also raised the "unauthorised" Exception.
As I have stated above: this does not happen when I do use the
Superuser-account.
I created some workaround (ugly, ugly) just to handle this. I am not quite
happy with this, because I do need the ZCatalog object traversal desperately.
Any further hints are absolutely welcome.
Regards, Ingo
------------------------------------------