[Zope-CMF] PortalContent permissions

seb bacon seb@jamkit.com
Mon, 16 Apr 2001 16:17:44 +0100


When adding new actions to a PortalContent object, I'm finding that
its first action is returned and displayed, regardless of whether or
not the user has the permission specified with the action.

It seems to me that the _index_html provided for PortalContent is
not checking the permissions specified in the object's TypeInfo:  

        ti = self.getTypeInfo()
        if ti is not None:
            path = ti.getActionById('view', None)
            if path is not None:
                view = self.restrictedTraverse(path)
                return view

Should getActionById be doing the security checks?  I can't see that
the TypesTool could actually change the permissions mapping on the
Skin in question.  Or have I missed something obvious?

And as a bonus question, what does the following, from PortalContent,
acheive?

     index_html = ComputedAttribute(_index_html, 1)

(I've looked through mailing lists for clues, but although
there's some mention of it in regard to acquisition, I'm still in the
dark). 

seb

--