During the development of my application I suddenly noticed that my 
context-objects had no security proxy around them, which is bad, as then data 
is open to everyone.

After searching and fiddling around, I recognized that this happens when I use 
a layer/skin that inherits from z3c.layer.pagelet.IPageletBrowserLayer. If I 
inherit from e.g. zope.publisher.interfaces.browser.IBrowserRequest, things 

To prove this, I attached a minimal demonstration to this mail - in the 
__init__.py file, the offending code is demonstrated. After installing and 
adding the object via the ZMI, one can access these links:


It can be seen, that the second link, which is based on a skin inheriting from 
the IPageletBrowserLayer, has no security proxies around the context.

Interestingly, I develop another application, which is also based on 
IPageletBrowserLayer which does not suffer from this problem, so I don't 
really understand what's happening. I tried to debug the problem but I was 
stuck at the implementation of queryMultiAdapter which seems to somehow 
magically remove the security Proxy.

I tested this with Python 2.4.4, Zope-3.4.0b2 and Zope-3.4.0c1 and the current 
SVN-versions of z3c.layer.

Do you have any clue how to solve this problem?

Best Regards,

GPG key ID: 299893C7 (on keyservers)
FP: 0124 2584 8809 EF2A DBF9  4902 64B4 D16B 2998 93C7

Attachment: myapp.tgz
Description: application/tgz

Zope3-users mailing list

Reply via email to