In the case outlined below "this" will point somewhere else, probably to the
DTMLMethod that contains the HTML code. By setting the magic variable "here"
to self and using
AUTHENTICATED_USER.has_permission('Permission', here) instead of
AUTHENTICATED_USER.has_permission('Permission', this) it works!
Thanks for the nonexistent support. ;-)
Well, explaining the problem to somebody else helps sometimes even if they
have no clue what you are talking about, so... :-)
Still no luck with the strange refresh problems though...
Torped Strategi och Kommunikation AB
----- Original Message -----
From: "Lennart Regebro" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, June 01, 2002 5:16 PM
Subject: [Zope-dev] Weird permission happenings: Is Manager magic?
> This is the situation:
> Zope 2.5.1/Python 2.1.3
> I'm calling index_html on an object. Index_html in turn finds a template
> calls "template.view(self)" on it. The template.view pushes itself on the
> context inbetween the object and the objects parent, thusly:
> It then calls "DTMLMethod.__call__( context, REQUEST, RESPONSE)" to render
> the DTMLMethod that contains the template itself, and thereby render the
> This works very well, for all purposes except when it comes to security.
> the DTMLMethod that contains the HTML I can for example do this:
> <dtml-var "AUTHENTICATED_USER.has_permission('View', this)">
> And here comes the weird part:
> If I am logged in as a user who has the Manager role, the result will be
> of the above dtml-var, as expected. However, if I log in as a user who is
> not Manager, the result will be "None", no matter if the user has the
> permission or not!
> I have create a role that has all permission in the root. All permissions
> are aqcuired over the whole site (which is a very small development site),
> and still the above returns "None"!
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -