I'm not convinced the new security stuff deals properly with attributes
other than simple methods.

here's the evidence, again from Squishdot (guess what I've been doing

You remember the Posting class? Well, Posting's objects have a text
attribute called 'subject'

Unless you have __allow_access_to_unprotected_subobjects__=1, you get
the following error after you hit cancel on the authentication dialog
box that pops up:

(well, I was getting an unauthorized error on subject, now I just get no
response from the server, not even an password dialog box :( That's
really bad...)

Anyway, on to the next example...

If you modify Squishfile by adding and:

         ['file_name', 'file_type', 'content_type', 'file_bytes',
'file_kbytes', 'date_created', 'date_modified','icon','index_html'],
         ('Anonymous', 'Manager')),

and a:


at the end, things should work fine, of course they don't. Right now,
I'm just getting no response from the server, what I was getting (which
was better ;-) is an unauthorized error on 'icon'. icon is defined in
Squishfile as follows:


...and is protected by the 'View' permission as you can see above.

What is going on ?!


PS: When do you and do you not mix in RoleManager? What does it do and
when is it needed?

PPS: If anyone wants to test this for themselves, let me know and I'll
check my code into the Squishdot public CVS (on a branch! ;-)

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to