Aleksander Salwa wrote:
> Few days ago I found that on site that I'm currently working on,
> everybody can add DTMLMethods and Documents (and maybe do more, I haven't
> checked yet, but I think it's bad enough !) by simply entering URL
> http://www.mysite.com/manage_addDTMLMethod?id=q1&title=qq1&file=qqq1

You're right.  It's because of a "legacy" issue.  Here's a quick patch
that plugs the hole:

Index: ProductContext.py
===================================================================
RCS file: /cvs-repository/Zope2/lib/python/App/ProductContext.py,v
retrieving revision 1.27
diff -u -r1.27 ProductContext.py
--- ProductContext.py   2000/11/20 15:36:35     1.27
+++ ProductContext.py   2000/12/08 18:46:38
@@ -195,7 +195,7 @@
             else: name=method.__name__
             if not OM.__dict__.has_key(name):
                 setattr(OM, name, method)
-                setattr(OM, name+'__roles__', pr)
+                setattr(OM, method.__name__+'__roles__', pr)
 
         if type(initial) is tt: name, initial = initial
         else: name=initial.__name__  

This is not perfect, however.  I'm working on a better solution.

Shane

_______________________________________________
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to