Anders Bruun Olsen wrote at 2005-5-6 18:19 +0200:
> ...
>  security = ClassSecurityInfo()
>  security.setDefaultAccess("deny")
>  security.declareProtected("View Bookbase", "index_html")
> ...
>When the template tries to access container/title an access denied
>expection is raised. With VerboseSecurity I get this explanaition:
>Unauthorized: The container has no security assertions. Access to
>'title' of (Bookbase at /bookbase) denied.
>What exactly am I missing here?

Up to Zope 2.8, you cannot protect access to objects
of simple type (such the "title" attribute of type "string")
in an easy way.
Access to such attributes are dually protected:

       By the "Object Permission" (set via "security.declareObjectProtected")
       *and* the "setDefaultAccess".

"setDefaultAccess" can in fact take dictionaries and callables
as arguments. Read the Zope Developper Guide for the
types available for "__allow_access_to_unprotected_subobjects__"
and how they are interpreted.
"setDefaultAccess" just causes its argument to be assigned
to "__allow_acc...".

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to