[Zope] Simple security puzzle
Robb Shecter
shecter@darmstadt.gmd.de
Thu, 03 Feb 2000 19:08:38 +0100
Hi,
I just made a simple method to make a list of all sub folders that
have a "description" attribute:
<dtml-in "PARENTS[0].objectValues(['Folder'])" skip_unauthorized>
<dtml-if "_.has_key('description')">
<a href="<dtml-var URL1>/<dtml-var id>"><dtml-var title_or_id></a>
<br>
<dtml-var description>
<br> <br>
</dtml-if>
</dtml-in>
...This works great, and saves a lot of work.
The problem: Some sub folders require certain roles or users for
access. And of course, I want these subfolders included in the
listing - when the user clicks on them, they'd get asked to log in...
But, with the above method, any sub folders that require a different
role than anonymous don't get shown at all. If I remove
"skip_unauthorized", then I get a security exception, apparently when
trying to access the sub folder attributes.
To me, it looks like I want the equivalent of a unix setuid program -
the anonymous user runs my method, and my method runs with different
permissions.
Any suggestions? Thanks,
- Robb