Max M writes:
 > ....
 > <dtml-in getAllComments>
 >     <i><dtml-var author></i><br>
 > .....
 > Traceback:
 > ....
 > Unauthorized: author
 >
 > ....
 >     def addComment(self, comment='', author='' , RESPONSE=None):
 >         "Adds a comment"
 >         self.comments.append(aComment(comment, author))
 >         self._p_changed = 1 # Trigger persistence
 >         RESPONSE.redirect('index_html')
 > ....
 >     def getAllComments(self):
 >         "returns a list of all comments"
 >         return self.comments

Your "getAllComments" returns a list of bare (unwrapped) 
objects. This removes any possibility to acquire permissions.
You should probably rewrite you "getAllComments" like this:

    def getAllComments(self):
        "returns a list of all comments"
        r= []
        for c in self.comments:
            r.append(r.__of__(self))

This would require that "aComment" inherits from
"Acquisition.Implicit" (or "Explicit").

Furthermore, your "aComment" does not specify any security
rules. With the news Zope 2.2 security policy, this means
access is prohibited.
You may consider to provide security rules.

There is a nice document from Brian which explains your options.


Dieter

_______________________________________________
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to