Problem solved!
In the case outlined below "this" will point somewhere else, probably to the
DTMLMethod that contains the HTML code. By setting the magic variable "here"
to self and using
AUTHENTICATED_USER.has_permission('Permission', here) instead of
AUTHENTICATED_USER.has_permission('Permission', this) it works!

Thanks for the nonexistent support. ;-)
Well, explaining the problem to somebody else helps sometimes even if they
have no clue what you are talking about, so... :-)

Still no luck with the strange refresh problems though...

Best Regards

Lennart Regebro
Torped Strategi och Kommunikation AB

----- Original Message -----
From: "Lennart Regebro" <[EMAIL PROTECTED]>
Sent: Saturday, June 01, 2002 5:16 PM
Subject: [Zope-dev] Weird permission happenings: Is Manager magic?

> This is the situation:
> Zope 2.5.1/Python 2.1.3
> I'm calling index_html on an object. Index_html in turn finds a template
> calls "template.view(self)" on it. The template.view pushes itself on the
> context inbetween the object and the objects parent, thusly:
> object.aq_parent
> thetemplateobjects
> object
> It then calls "DTMLMethod.__call__( context, REQUEST, RESPONSE)" to render
> the DTMLMethod that contains the template itself, and thereby render the
> object.
> This works very well, for all purposes except when it comes to security.
> the DTMLMethod that contains the HTML I can for example do this:
> <dtml-var "AUTHENTICATED_USER.has_permission('View', this)">
> And here comes the weird part:
> If I am logged in as a user who has the Manager role, the result will be
> of the above dtml-var, as expected. However, if I log in as a user who is
> not Manager, the result will be "None", no matter if the user has the
> permission or not!
> I have create a role that has all permission in the root. All permissions
> are aqcuired over the whole site (which is a very small development site),
> and still the above returns "None"!

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to