[ZPT] not grokking tal/metal security

Florent Guillaume fg@nuxeo.com
Tue, 23 Apr 2002 14:20:35 +0000 (UTC)


Okay, then the other "frequently encountered problem" you may have
stumbled into is that of executive ownership. Could you check that all
the relevant page templates / python scripts are owned (Owner tab) by an
existing user that has sufficient permissions. Idealy they would be
owned by a global "admin" who is Manager.

Florent

Kevin Littlejohn  <darius@obsidian.com.au> wrote:
> On Tue, 2002-04-23 at 02:21, Florent Guillaume wrote:
> > Does the object you're returning have any security assertion in its class,
> > like security.declareObjectProtected('View') ?
> 
> Yes, it does - at the moment, the object itself is protected thus:
> 
>     security = ClassSecurityInfo()
>     security.declareObjectPublic()
> 
> Each method is protected by specific permissions, but my role when I'm
> logged in (as a Manager) includes those permissions.  If I declare the
> methods to be public, then it works, because by the time the object's
> methods are called, I'm back down to Anonymous User.
> 
> I can't have this stuff declared public, unfortunately - I need to code
> in some checks to be sure that the user accessing the site is allowed to
> do certain things on those objects.
> 
> KJL
> 
> > 
> > Florent
> > 
> > Kevin Littlejohn  <darius@obsidian.com.au> wrote:
> > > Hi all,
> > > 
> > > I've been trying to use metal and tal for a new project, and I'm being
> > > bitten by something that looks like a bug to me.  Can someone please
> > > explain this behaviour?
> > > 
> > > Two TAL pages:
> > > 
> > > macros:
> > > <html metal:define-macro="page">
> > > <head><title
> > > tal:content="python:here.getDetails()['company_name']">company
> > > Name</title></head>
> > > <body><b tal:content="user/getUserName">Username</b> accessing <b
> > > tal:content="python: here.getDetails()['company_name']">Company
> > > Name</b><br>
> > > <b>Links:</b><a href="/darius/">Home Page</a><br>
> > > <hr>
> > > <div metal:define-slot="main">Main Page</div></body></html>
> > > 
> > > index_html:
> > > <html metal:use-macro="here/macros/macros/page">
> > > <head><title>Welcome to Jet</title></head>
> > > <body>
> > > <div metal:fill-slot="main">
> > > Current Choices:
> > > <ul>
> > >     <li><a href="listUsers">List all Users</a></li>
> > > </ul>
> > > </div>
> > > </body>
> > > </html>
> > > 
> > > Now, if I refer to
> > > tal:content="python:here/getDetails()['company_name']" in index_html, it
> > > works - that method requires a certain set of privileges, which I have
> > > when I'm logged in.  But in macros, it seems that I've been demoted to
> > > an Anonymous User - if I try and load index_html as it is above when
> > > Anonymous User doesn't have "view" privileges, I get told "You are not
> > > allowed to access macros in this context".  If I try and fudge around
> > > that, I can pretty much verify that by the time I'm rendering the macro,
> > > I'm Anonymous User, instead of myself.
> > > 
> > > Am I doing something wrong?
> > > 
> > > I'm striking a similar, though different, problem with a line that
> > > reads:
> > > tal:content="python:here.customer(request.user_cid).getDetails()", where
> > > here.customer() returns a Customer object, which has a getDetails()
> > > method - by the time I'm calling the getDetails method, I'm Anonymous
> > > User again, even though the call to here.customer() is made as me.
> > > 
> > > Confused,
> > > KevinL
> > > -- 
> > > Internet techie                    Obsidian Consulting Group
> > > Phone: +613 9653 9364                    Fax: +613 9354 2681
> > > http://www.obsidian.com.au/           darius@obsidian.com.au
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > ZPT mailing list
> > > ZPT@zope.org
> > > http://lists.zope.org/mailman/listinfo/zpt
> > > 
> > 
> > 
> > -- 
> > Florent Guillaume, Nuxeo (Paris, France)
> > +33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com
> > 
> > 
> > _______________________________________________
> > ZPT mailing list
> > ZPT@zope.org
> > http://lists.zope.org/mailman/listinfo/zpt
> > 
> -- 
> Internet techie                    Obsidian Consulting Group
> Phone: +613 9653 9364                    Fax: +613 9354 2681
> http://www.obsidian.com.au/           darius@obsidian.com.au
> 
> 
> 
> _______________________________________________
> ZPT mailing list
> ZPT@zope.org
> http://lists.zope.org/mailman/listinfo/zpt
> 


-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com