On Mon, 21 Aug 2000 12:15:24 +0100, Chris Withers <[EMAIL PROTECTED]>
>The SquishSite class has a method called item_count() which is used on
>one of the management pages. It currently isn't protected by any
>permissions or __roles__ and yet it still works fine on the management
>screen concerned.
>I thought this sort of thing was supposed to throw up an unauthorized
>error in 2.2?

No, for two reasons:

Firstly, I assume your management page is a dtml file on disk, not a
dtml object stored in the ZODB. dtml files bypass *all* security

Secondly, all objects that inherit from OFS.Item.SimpleItem (that is,
almost all high level objects) have the
__allow_access_to_unprotected_subobjects__ flag set. Your method would
be callable from through-the-web dtml too.

The basic rules of Zope security are fairly easy; its the exceptions
that cause the problems.

Toby Dickenson

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to