Okay, next up, if it's a security error, it should throw a security
error! :(

Squishdot Posting's can have file attachments. 

class Posting(Persistent, Implicit,RoleManager):     


    # protected by 'View' permission
    def attachment(self):     
        return file and (file,) or None     


These are stored as attributes in a totally un-security aware class:

class Squishfile(Acquirer,Persistent):

    def file_name(self):  
        return self._name  


posting_html is a DTML method and, in 2.2, fails is this bit (which used
to work! ;-):

<dtml-if attachment>  
<dtml-in attachment>  
<A HREF="./<dtml-var file_name url_quote>">  
<IMG SRC="<dtml-var SCRIPT_NAME >/<dtml-var icon>" HEIGHT="16  
 WIDTH="16" BORDER="0" ALT="Click to download attachment"></A>    
<A HREF="./<dtml-var file_name url_quote>"><dtml-var file_name></A>   
<dtml-var file_kbytes>KB (<dtml-var file_bytes> bytes)<BR>  
</dtml-in attachment><BR>  
</dtml-if attachment>  

However, the error is rather strange:

Error Type: KeyError
Error Value: file_name
(traceback in PS)

This, believe it or not, is actually a security error, since I can make
it go away by mixing RoleManager into Squishfile and adding
__allow_access_to_unprotected_subobjects__=1 to the class.

Why do I get this, which I presume is due to file_name not being
available in the stacked namespaces, rather than a security dialog box?



PS: The above code works fine in the management interface, without any
changes to Squishfile, which was the subejct fo my previous post.

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to