[Zope] checking view permissions
Dieter Maurer
dieter@handshake.de
Mon, 29 Apr 2002 22:11:49 +0200
Tom Rockwell writes:
> ...
> <dtml-if "AUTHENTICATED_USER.has_permission('View', upload)">
> <a href="upload">Upload</a>
> </dtml-if>
>
> However, for unauthenticated users, Zope gives the error that "upload"
> doesn't exist. So apparently, if a user can't View an object, they also
> can't call .has_permission('View' object). Am I missing something?
No, you do not miss something!
I am not sure whether I should call this a bug.
Zope protects already the lookup of an object and not only
the actual object access.
While this would not be strictly necessary, it increases
security as objects you do not have access rights to, cannot
even be moved around.
Your code above looks up "upload" and therefore, raises
an "Unauthorized" exception which in some cases is turned
into a "KeyError" (I am quite sure, this is a bug.
One may argue, that I should not even know about
the existence of an object I have no access rights to.
But it is very confusing and (IMV) paranoid).
You can put your test into a "<dtml-try>...<dtml-except>..."
to work around this security feature.
Dieter