[Zope] RE: Globals.DTMLFile vs. DTML Method wrt security

Randall F. Kern randy@spoke.net
Fri, 20 Apr 2001 18:01:48 -0700


oops, slipped on the keyboard, sorry about that partial post.  here's
the full version:

DTMLFile objects in my python product can do things DTML=20
Method's can't, and that is causing some trouble.

In particular, dtml that is from a DTMLFile() attribute in a=20
python product can <dtml-var> stuff (like a DTML Document)=20
that doesn't have the correct permissions, and placing the same
<dtml-var> tag into a TWW DTML Method results in a login
dialog.

Is this by design?  Is there a way for me to turn this off?

-Randy


Details:

For example, create a DTML Document (id secret) that only=20
managers can 'View' or 'Access contents information' on. =20
Then write a DTML Method that just does <dtml secret>.  This=20
correctly causes a login dialog, and will only show the=20
contents of secret if you are authenticated with an account=20
that has the manager role.

Now write a python product somewhere, important bits look like this:

class Foo(OFS.Folder):
	security =3D ClassSecurityInfo()
	security.declareObjectProtected('View')
	__class_init__ =3D Globals.default__class_init__

	meta_type =3D "foo"

	def __init__(self, id):
		self.id =3D id

	security.declareProtected('View', 'test')
	test =3D Globals.DTMLFile('test', globals())

	security.declareProtected('View', '__call__')
	def __call__(self, client=3DNone, context=3D{}, **extras):
		return apply(self.test, ((client, self), context),
extras)

then in test.dtml:

<dtml-var secret>


Now create an instance of Foo somewhere, and try calling=20
either the test method or the object itself.  In both cases,=20
you'll see the contents of secret, without being logged in.