I am having a problem where DTML is allowing access to an attribute of an 
object that restrictedTraverse and regular . notation denies from a python 

I have a python product and I have the securit.setDefaultAccess('deny') so 
that items inside there without security declarations can't be called and 
this works for url traversal, restrictedTraverse and getting to the object 
via python scripts in that access is denied but dtml can get right in which 
is a problem.

Lets say I have container foo with object bar in an and inside bar an object 
which should not be allowed accessed.

<dtml-var "foo.bar.shouldnotwork"> gives the value of shouldnotwork


<dtml-var "restrictedTraverse('foo/bar/shouldnotwork')'> gives access denied

and from a python script 

return context.foo.bar.shouldnotwork gives an access denied also which is what 
I expect.

For a ZPT object I get the same result of access being denied for

<span tal:replace="here/foo/bar/shouldnotwork"></span>

Thus I suspect the problem is with DTML somewhere but I am not sure where. 
However I could also be doing something wrong in my python product but 
currently I can no imagine what would allow that dtml to do it but nothing 

The variable shouldnotwork is just a string that is stored in object bar.

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to