On Mon, 21 Aug 2000 12:15:24 +0100, Chris Withers <[EMAIL PROTECTED]>
wrote:
>The SquishSite class has a method called item_count() which is used on
>one of the management pages. It currently isn't protected by any
>permissions or __roles__ and yet it still works fine on the management
>screen concerned.
>
>I thought this sort of thing was supposed to throw up an unauthorized
>error in 2.2?
No, for two reasons:
Firstly, I assume your management page is a dtml file on disk, not a
dtml object stored in the ZODB. dtml files bypass *all* security
checks.
Secondly, all objects that inherit from OFS.Item.SimpleItem (that is,
almost all high level objects) have the
__allow_access_to_unprotected_subobjects__ flag set. Your method would
be callable from through-the-web dtml too.
The basic rules of Zope security are fairly easy; its the exceptions
that cause the problems.
Toby Dickenson
[EMAIL PROTECTED]
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
