[Zope-CMF] Calling context.setTitle() doesn't work when you'r e not a Manager

Tres Seaver tseaver@zope.com
22 Jan 2003 13:05:02 -0500


On Wed, 2003-01-22 at 12:07, Slade Mrs A wrote:
> Proxy role of Manager did actually work in the end.

Note that, since skin methods themselves are intrinsically "public",
giving one proxy roles allows anyone who can visit the template (perhaps
by editing a URL line manually, for instance), to execute them (e.g.,
to reset the title on your folderish content object).  As an analogy,
marking a skin template / method with proxy roles of Manager is a lot
like marking a Unix script or executable as "setuid root".

In some environments, this may be perfectly OK (but there you could
likely re-bind the "Manage properties" permission to "Owner", anyway).
I would strongly recommend against using such a script on a site which
you expose to untrusted users, however.

> Thanks for your help.

You're welcome!

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com