Hi,

I am currently dealing with security and I found a "strange" behaviour of Zope.
Ok, I will some up it in short:

I have defined the following components:

1. A view component, which I have registered in the following way:

  <browser:page
          for="*"
          name="test3.html"
          class="bookapp.mc.Mc"
          template="a.pt"
          permission="zope.Public"
          >
        </browser:page> 

  So, there is a template a.pt, which calls a method of the class bookapp.mc.Mc

2. The base class of the view has got a mehtod, which is called from the
template. And the method looks like the following:

            ut = zapi.getUtility(IBookstore)
            ret = ut.test3()

 So the method of the base class of the view tries to get a Utility and then
calls a function of the utility

2. A utility, what it does, is not important, I have registered it the following
way:

  
  <utility
      provides=".interfaces.IBookstore"
      factory=".bookstore.Bookstore"
          permission="zope.ManageContent"
      /> 


Now the important part: I have openend ZMI and do NOT login. And then I call the
view, which itself calls the utility and everything was o.k. But the problem was
I was not logged in, but the utility requires the permission
"zope.ManageContent". Why does it work??? Later I tried it with a content
component, and then I got a unauthorized exception. 

So can code always access everything, or not? 

Thanks a lot for your replies in advance!


_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Reply via email to