Hi,

I have a ZCML declaration like this for the "StudentDisplay" view:

<z3c:pagelet
     for="..IStudent"
     name = "top.html"
     class=".StudentDisplay"
     permission = "student.edit"
     layer = ...
/>

<browser:defaultView
    for = "..IStudent"
    name = "top.html"
    layer = ...
/>

In the "StudentDisplay" view I have the following line:

orders = [ purchase.order for purchase in  self.context['orders'] ]

Now, the "purchase" object does not have any security declarations (with 
the "require" directive) and the above line(which is accessing the 
"order" attribute ) should produce a ForbiddenAttribute. However, there 
is something which I don't get.

when I access the  "student_object/top.html" page, I do not get any 
errors and "can" access the "order "attribute of the purchase object. On 
the other hand when I don't explicitly enter the full URL and want to 
take advantage of the defaultView directive ( when accessing 
"student_object/"  ), there is a ForbiddenAttribute.

The user is the same and has the exact same permissions.
Can anyone please explain  to me this behavior.
Thankyou!
Hass

_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
https://mail.zope.org/mailman/listinfo/zope3-users

Reply via email to