Do you use some version of z3c.layer that's registering standard Zope  
traversers as trusted adapters, like, e.g:


In this case, if you traverse to 'student_object/top.html' the  
ItemTraverser will try to lookup the view:

view = queryMultiAdapter((self.context, request), name=name)

Since the traverser is trusted the view will be looked up with a non- 
security-proxied purchase object. As a result the security  
declarations of your Purchase class will be ineffective.

Try to traverse to 'student_object/@@top.html', i.e. explicitely using  
the 'view' namespace instead of the ItemTraverser's fallback to a view  
lookup.  If I'm right, this will correctly raise a ForbiddenAttribute.

In any case: If you get a ForbiddenAttribute the user permissions are  
not the problem. In the latter case you would get an Unauthorized  

Markus Kemmerling

Am 12.09.2009 um 14:46 schrieb hass:

> Hi,
> I have a ZCML declaration like this for the "StudentDisplay" view:
> <z3c:pagelet
>     for="..IStudent"
>     name = "top.html"
>     class=".StudentDisplay"
>     permission = "student.edit"
>     layer = ...
> />
> <browser:defaultView
>    for = "..IStudent"
>    name = "top.html"
>    layer = ...
> />
> In the "StudentDisplay" view I have the following line:
> orders = [ purchase.order for purchase in  self.context['orders'] ]
> Now, the "purchase" object does not have any security declarations  
> (with
> the "require" directive) and the above line(which is accessing the
> "order" attribute ) should produce a ForbiddenAttribute. However,  
> there
> is something which I don't get.
> when I access the  "student_object/top.html" page, I do not get any
> errors and "can" access the "order "attribute of the purchase  
> object. On
> the other hand when I don't explicitly enter the full URL and want to
> take advantage of the defaultView directive ( when accessing
> "student_object/"  ), there is a ForbiddenAttribute.
> The user is the same and has the exact same permissions.
> Can anyone please explain  to me this behavior.
> Thankyou!
> Hass
> _______________________________________________
> Zope3-users mailing list
> Zope3-users@zope.org
> https://mail.zope.org/mailman/listinfo/zope3-users

Zope3-users mailing list

Reply via email to