Shane Hathaway wrote:
> > How should I got about petitioning
> > for
> > <dtml-var anobject aq_context> to become valid syntax?
>
> There's one little (okay, big) problem with this idea: aq_context
> strips the security context. In fact, it could be used to confuse the
> security machinery.
>
> Let's say I'm Joe Hacker and I have set up membership at
> www.zope.org/Members/jhacker. I create a DTML method called index_html
> with this:
>
> <dtml-with Members>
> <dtml-with hathawsh aq_context>
> <dtml-call expr="index_html.manage_edit('1 0WN U')">
> </dtml-with>
> </dtml-with>
Alright, I give up :-(
This would be really useful, but if it's going to open up security holes
everywhere, then I best leave it alone :-S
cheers,
Chris
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )