[Zope] manage_delObjects requires escalated permissions when run from different folder?

Milos Prudek milos.prudek@tiscali.cz
Thu, 07 Mar 2002 12:34:41 +0100


Why manage_delObjects requires granting "Delete objects" to 
Authenticated to allow even Manager(!!!) to use it?

The following DTML method lives in /edit Folder, and it tries to delete 
a copy_of_top image in /images Folder. Even a manager cannot run it (the 
error message is "unauthorised to use manage_delObjects") unless "Delete 
objects" is granted to Authenticated.

<dtml-var standard_html_header>
<dtml-with images>
<dtml-if copy_of_top>
   <h1>Image is there</h1>
   <dtml-call "images.manage_delObjects(ids=['copy_of_top'])">
<dtml-else>
   <h1>Image is not there</h1>
</dtml-if>
</dtml-with>
<dtml-var standard_html_footer>



This problem does NOT appear if both the DTML method and image live in 
the same folder. In other words, the following DTML method does not 
require special privileges:

<dtml-var standard_html_header>
<dtml-if copy_of_top>
   <h1>Image is there</h1>
   <dtml-call "manage_delObjects(ids=['copy_of_top'])">
<dtml-else>
   <h1>Image is not there</h1>
</dtml-if>
<dtml-var standard_html_footer>

Why is this?

-- 
Milos Prudek