An other issue with converting skin scripts to browser views:

Scripts are untrusted code, the permissions are checked for all methods called from scripts. Browser views are trusted code, they are only protect by one permission for the complete view.

Complex forms like folder contents behave different depending on the permissions the users have. E.g. some users can delete or rename sub-objects while others can't.

The only solution I see is to protect all actions that need a different permission than the form itself by checkPermission.

Am I missing something?



Zope-CMF maillist  -  Zope-CMF@lists.zope.org

See http://collector.zope.org/CMF for bug reports and feature requests

Reply via email to