robert rottermann wrote:
Having read Stuarts post with a similar context I was digging trough DCWorkflow with the debugger and found that

In Shared.DC.Scripts.Bindings._getContext(self), there
seems to be a new security check:
   getSecurityManager().validate(parent, container, '', self)

Yep, this was a real hole in PythonScripts before; the script shouldn't bind the name 'container' if the user doesn't have access to the container.

does only allow Manager to access the container of the script that is called during the DCWorkflow transition.

Any ideas?

Two possibilities:

  - If your script doesn't need to access container, then go to its
    "Bindings" tab and clear the entry for "container".  The security
    check added in 2.6.3 won't take effect until the name is bound
    (there is even a unit test for that case).

  - If your script *does* need access to the container (which will be
    the "scripts" container of the workflow, IIRC), then you need to
    give the script a proxy role of 'Manager'.

Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to