Hi,
For QuillsEnabled, I have implemented an adapter from the standard Plone
Page/Document to Quills' IWeblogEntry. See
<http://dev.plone.org/collective/browser/Products.QuillsEnabled/trunk/Products/QuillsEnabled/adapters/document.py>.
Instances of this adapter get used by skin templates (i.e. portal_skins)
and therefore by untrusted code. In order to make this work, it was
necessary to put __allow_access_to_unprotected_subobjects__ = True on
the adapter class. This is nasty and potentially a security hole.
My question: what is the best way around this?
One solution I can think of is to apply security to the adapter class
and then use a factory that acquisition wraps the adapter upon
instanciation. Does that sound reasonable?
Have others come across this sort of thing before?
Thanks,
Tim
_______________________________________________
Product-Developers mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/product-developers
