[ZPT] Permissions, ZPT and absolute_url

Dieter Maurer dieter@handshake.de
Tue, 3 Dec 2002 21:16:33 +0100


Jay, Dylan writes:
 > I'm having a bit of trouble with security and ZPT. I am locking down my site
 > such that only the cookie login page has anonymous view permission. This
 > page however is used with the VirtualHost monster so all the links off it
 > have something like tal:attributes="here/reg/register.html/absolute_url".
 > 
 > Now from looking at the code absolute_url is a public method so shouldn't
 > call be allowable without having to make register.html viewable to
 > anonymous? Without ZPT proxy roles would be the answer but that isn't offer
 > with ZPT :(
Path expressions use "restrictedTraverse" for traversal.

"restrictedTraverse" checks the object protection of all intermediate
steps.

Most object classes use "Access contents information" as
object protection permission but some use "View"
or other (more appropriate) permissions.

Looks like ZPT is using some permission your annoymous does not have.

I would go for a Python Script with an appropriate proxy role
that computed the requested "absolute_url". It would be nicer,
when ZPT had proxy roles, but ....


Dieter