Am 27.09.2007 um 12:40 schrieb Jens Vagelpohl:
If you have a script somewhere in the skins or in your site it will
*always* be available for people who call it up directly by URL.
There is no builtin mechanism in Zope or the CMF to control that.
You could do some "manual" checking inside the script to make sure
the calling user has the right permissions or the script is not
called by direct URL traversal.
Thanks, I thought as much. It's not difficult to check the user for
the correct role and return an index page otherwise but I guess I
need to start explicitly attaching such scripts to objects and their
methods but I'm still on that learning curve, which is probably not
helped by the fact I nearly always store data in an RDBMS and I don't
use O/R mappers.
Zope-CMF maillist - Zope-CMF@lists.zope.org
See http://collector.zope.org/CMF for bug reports and feature requests