Kees Hink wrote:
I have, on an Archetypes content type, a field 'instruction' with
'read_permission = "Set own password"'. The base_view template respects this
and does not show the field to Anonymous users.
However, my view class's template does not: The TAL snippet
<tal:instruction tal:define="instruction context/getInstruction | nothing">
<span tal:replace="structure instruction"/>
</tal:instruction>
displays the field to anyone.
If i copy that template to the product's skins folder under a different name
and call that template, the field is not shown to Anonymous.
The old-school skin templates/scripts are "untrusted code" so
security checks are done on each and every call for or
access to something.
The view class and template are registered like this:
<browser:page
for="IMyInterface"
name="MyView"
class="Products.MyProduct.browser.MyView.MyView"
template="templates/MyView.pt"
permission="zope2.View"
/>
I also tried omitting the class directive, and that produced the same result.
So how come the field is displayed when the template is a ZCML-registered one?
New-school browser views and pages including their templates and
view classes are "trusted code" meaning there are no security checks
other than the ones defined explicitly in ZCML.
So the above permission setting means that access to this particular
browser page requires the view permission and that applies to whatever
the view class or the template does.
If you need more granularity you have to implement specific checks
in the view class (or the template even) yourself.
Yes, this is very different from how it used to be.
Raphael
Kees
_______________________________________________
Product-Developers mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/product-developers
