[Zope3-dev] Security with Viewlets
Shane Hathaway
shane at hathawaymix.org
Thu Nov 16 18:17:04 EST 2006
Paul Carduner wrote:
> I am having trouble debugging viewlets that redirect to Unauthorized
> pages. Here is the synopsis. We have a "dashboard" page with a bunch
> of viewlets displaying information about all different parts of the
> system. When one viewlet tries to access forbidden attributes, the
> whole page gets redirected to the "Unauthorized" view. I would rather
> see a little message in place of the questionable viewlet saying "this
> viewlet is trying to access forbidden data."
>
> Ideally, the viewlet manager would "wrap" each viewlet in some fool
> proof environment such that if anything went wrong with the viewlet -
> security or otherwise - then the viewlet manager would handle each
> problem appropriately.
>
> Can anyone recommend an approach to doing this or explain why it is a
> bad idea altogether?
In theory: the viewlet manager should catch an exception generated by a
viewlet and attempt to adapt the exception to a viewlet, which the
manager should render instead of the original viewlet. If there is no
such adapter, or the exception viewlet fails, the viewlet manager should
either provide some default or propagate the exception to the whole page.
> Alternatively, any hints on debugging security? I wish there was an
> easy way to see exactly which attribute of which object denied access.
I'm sure that will come in time.
Shane
More information about the Zope3-dev
mailing list