Re: [Zope] acessing parameters in a helper class

2000-11-08 Thread Dieter Maurer 

Max M writes:
  
  dtml-in getAllComments
  idtml-var author/ibr
  .
  Traceback:
  
  Unauthorized: author
 
  
  def addComment(self, comment='', author='' , RESPONSE=None):
  "Adds a comment"
  self.comments.append(aComment(comment, author))
  self._p_changed = 1 # Trigger persistence
  RESPONSE.redirect('index_html')
  
  def getAllComments(self):
  "returns a list of all comments"
  return self.comments

Your "getAllComments" returns a list of bare (unwrapped) 
objects. This removes any possibility to acquire permissions.
You should probably rewrite you "getAllComments" like this:

def getAllComments(self):
"returns a list of all comments"
r= []
for c in self.comments:
r.append(r.__of__(self))

This would require that "aComment" inherits from
"Acquisition.Implicit" (or "Explicit").

Furthermore, your "aComment" does not specify any security
rules. With the news Zope 2.2 security policy, this means
access is prohibited.
You may consider to provide security rules.

There is a nice document from Brian which explains your options.


Dieter

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] acessing parameters in a helper class

2000-11-08 Thread Max M 

From: Dieter Maurer

You may consider to provide security rules.

There is a nice document from Brian which explains your options.

Yes there is indeed. I just hadn't noticed it before.

I have just added: "__allow_access_to_unprotected_subobjects__=1" to the
aComment class and everythings dandy. Just what the doctor ordered.

Brian also mentions in his document that a "__roles__ = None" should do the
same for the class, but it doesn't. Don't know why.

class aComment:
' '
__allow_access_to_unprotected_subobjects__=1 # This works
#__roles__= None # This doesn't

def __init__(self, comment, author):
self.comment = comment
self.author  = author

Thanks for the info

Max M

Max M. W. Rasmussen,Denmark.   New Media Director
private: [EMAIL PROTECTED] work: [EMAIL PROTECTED]
-
Specialization is for insects.  -  Robert A. Heinlein



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )