[Zope-CMF] PortalContent permissions

Shane Hathaway shane@digicool.com
Mon, 16 Apr 2001 12:20:46 -0400


seb bacon wrote:
> 
> When adding new actions to a PortalContent object, I'm finding that
> its first action is returned and displayed, regardless of whether or
> not the user has the permission specified with the action.
> 
> It seems to me that the _index_html provided for PortalContent is
> not checking the permissions specified in the object's TypeInfo:

You're right, it's not checking the permission and it should.  (This
isn't any kind of security problem, though, since it just means that
users might be shown an action they can't actually access.)

What do you think it should do?  I was thinking it should first look for
a "view" action, but if the user doesn't have access to it, it should
look through the options in order and choose the first action the user
is allowed to access.

>         ti = self.getTypeInfo()
>         if ti is not None:
>             path = ti.getActionById('view', None)
>             if path is not None:
>                 view = self.restrictedTraverse(path)
>                 return view
> 
> Should getActionById be doing the security checks?  I can't see that
> the TypesTool could actually change the permissions mapping on the
> Skin in question.  Or have I missed something obvious?

restrictedTraverse() prevents the user from accessing something they
shouldn't.  But _index_html should also prevent the interface from
showing the user a page they can't fully access.

> And as a bonus question, what does the following, from PortalContent,
> acheive?
> 
>      index_html = ComputedAttribute(_index_html, 1)
> 
> (I've looked through mailing lists for clues, but although
> there's some mention of it in regard to acquisition, I'm still in the
> dark).

It exposes _index_html as a computed attribute named index_html, with
the bonus that the "self" passed to _index_html is an acquisition
wrapper (that's what the "1" does.)  This is necessary to make skins
work.

Shane