[Zope] Globals.DTMLFile vs. DTML Method wrt security
Randall F. Kern
randy@spoke.net
Fri, 20 Apr 2001 17:58:54 -0700
DTMLFile objects in my python product can do things DTML Method's can't,
and that is causing some trouble.
In particular, dtml that is from a DTMLFile() attribute in a python
product can <dtml-var> stuff (like a DTML Document) that doesn't have
the correct permissions, and placing the sam
For example, create a DTML Document (id secret) that only managers can
'View' or 'Access contents information' on. Then write a DTML Method
that just does <dtml secret>. This correctly causes a login dialog, and
will only show the contents of secret if you are authenticated with an
account that has the manager role.
Now write a python product somewhere, important bits look like this:
class Foo(OFS.Folder):
security =3D ClassSecurityInfo()
security.declareObjectProtected('View')
__class_init__ =3D Globals.default__class_init__
meta_type =3D "foo"
def __init__(self, id):
self.id =3D id
security.declareProtected('View', 'test')
test =3D Globals.DTMLFile('test', globals())
security.declareProtected('View', '__call__')
def __call__(self, client=3DNone, context=3D{}, **extras):
return apply(self.test, ((client, self), context),
extras)
then in test.dtml:
<dtml-var secret>
Now create an instance of Foo somewhere, and try calling either the test
method or the object itself. In both cases, you'll see the contents of
secret, without being logged in.