[ZPT] RE: Permissions, ZPT and absolute_url

Jay, Dylan djay@avaya.com
Tue, 3 Dec 2002 16:56:51 +1100


A bit more exploring reveals that I can call absolute_url on Folder object
or aquition path of Folder objects regardless of the fact that they all fail
to aquire a view permission. However if I try to do the same on another ZPT
or PythonScript etc, then I get the follwing error 

"
  <strong>Error Type: Unauthorized</strong><br>
  <strong>Error Value: You are not allowed to access doRegistration in this
context</strong>
"

It seems that the security framework barfs to a traversal of anything else
other than folders??? 

> -----Original Message-----
> From: Jay, Dylan 
> Sent: Tuesday, 3 December 2002 2:59 PM
> To: 'zope@zope.org'
> Subject: Permissions, ZPT and absolute_url
> 
> 
> I'm having a bit of trouble with security and ZPT. I am 
> locking down my site such that only the cookie login page has 
> anonymous view permission. This page however is used with the 
> VirtualHost monster so all the links off it have something 
> like tal:attributes="here/reg/register.html/absolute_url".
> 
> Now from looking at the code absolute_url is a public method 
> so shouldn't call be allowable without having to make 
> register.html viewable to anonymous? Without ZPT proxy roles 
> would be the answer but that isn't offer with ZPT :(
> 
> ----
> Dylan Jay                           mailto:djay@avaya.com
> Avaya Communication                 Tel:   +61-2-9352-8642
> Level 3, 123 Epping Road            FAX:   +61-2-9352 9224
> Nth Ryde NSW 2113                   Mobile: 0409 606 171
> AUSTRALIA
>