> Jeremy Hylton wrote:
> > What if you used a special object that would produce a useful error
> > message if the user tries to access the container.
> I like this.  Make it a singleton, and put it in the global namespace 
> for Scripts, so that we can write:
>    if context is Inaccessible:
>      # Do without access to context

I've checked in the changes to the 2.6 branch, 2.7 branch and the head
to change the binding behavior for 'container' and 'context':

  - If the user does not have access to the item, the script 
    will bind an UnauthorizedBinding object instead of the 
    real object, rather than throw an exception at binding 

  - Any attribute or item access on the UnauthorizedBinding will 
    throw an Unauthorized, including the name of the binding 
    that the user didn't have access to.

The result is that if you have scripts where the script container 
is inaccessible to the users of the script:

  - If the script does not reference 'container' in its code, 
    things will work without any action on the part of the site 

  - If the script *does* reference 'container' then a meaningful 
    Unauthorized error will be raised. Site admins can either 
    give users the appropriate roles on the script container or 
    give appropriate proxy roles to the scripts to fix any 

Note that I *didn't* put the UnauthorizedBinding in the script 
globals to implement the Inaccessible idea above, because: 

  - it is kind of 'featurish', at least in that it really should 
    have some associated documentation etc.

  - I want to make only absolutely necessary changes at this 
    point and get 2.6.4 and 2.7.0 finalized.
If any of the Plone folk who have been running into this issue 
can try the changes from cvs, I'd appreciate it.


Brian Lloyd        [EMAIL PROTECTED]
V.P. Engineering   540.361.1716              
Zope Corporation   http://www.zope.com 

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to