I am currently dealing with security and I found a "strange" behaviour of Zope.
Ok, I will some up it in short:
I have defined the following components:
1. A view component, which I have registered in the following way:
So, there is a template a.pt, which calls a method of the class bookapp.mc.Mc
2. The base class of the view has got a mehtod, which is called from the
template. And the method looks like the following:
ut = zapi.getUtility(IBookstore)
ret = ut.test3()
So the method of the base class of the view tries to get a Utility and then
calls a function of the utility
2. A utility, what it does, is not important, I have registered it the following
Now the important part: I have openend ZMI and do NOT login. And then I call the
view, which itself calls the utility and everything was o.k. But the problem was
I was not logged in, but the utility requires the permission
"zope.ManageContent". Why does it work??? Later I tried it with a content
component, and then I got a unauthorized exception.
So can code always access everything, or not?
Thanks a lot for your replies in advance!
Zope3-users mailing list