[ZPT] Permissions, ZPT and absolute_url

Jay, Dylan djay@avaya.com
Wed, 4 Dec 2002 09:20:05 +1100


> -----Original Message-----
> From: Dieter Maurer [mailto:dieter@handshake.de]
> Sent: Wednesday, 4 December 2002 7:17 AM
> To: Jay, Dylan
> Cc: 'zpt@zope.org'
> Subject: Re: [ZPT] Permissions, ZPT and absolute_url
> 
> 
> Jay, Dylan writes:
>  > I'm having a bit of trouble with security and ZPT. I am 
> locking down my site
>  > such that only the cookie login page has anonymous view 
> permission. This
>  > page however is used with the VirtualHost monster so all 
> the links off it
>  > have something like 
> tal:attributes="here/reg/register.html/absolute_url".
>  > 
>  > Now from looking at the code absolute_url is a public 
> method so shouldn't
>  > call be allowable without having to make register.html viewable to
>  > anonymous? Without ZPT proxy roles would be the answer but 
> that isn't offer
>  > with ZPT :(
> Path expressions use "restrictedTraverse" for traversal.
> 
> "restrictedTraverse" checks the object protection of all intermediate
> steps.
> 
> Most object classes use "Access contents information" as
> object protection permission but some use "View"
> or other (more appropriate) permissions.

yes, looks like ZPT is object protected by the "View" permission :( I'm not
sure that's approriate either.
 
> Looks like ZPT is using some permission your annoymous does not have.
> 
> I would go for a Python Script with an appropriate proxy role
> that computed the requested "absolute_url". It would be nicer,

So if I link to 10 other pages and need their url, I need 10 python scripts?
That's crazy. Anyone know if there is a good reason why a ZPT object
protection isn't public?


> when ZPT had proxy roles, but ....

Is there a good reason why it has no proxy roles?