[Zope-CMF] Proxy Roles on Python Scripts in Skins

Chris Withers chrisw@nipltd.com
Thu, 23 Jan 2003 11:09:58 +0000


Hi Tres,

Tres Seaver wrote:
> On Wed, 2003-01-22 at 12:07, Slade Mrs A wrote:
> 
>>Proxy role of Manager did actually work in the end.
> 
> Note that, since skin methods themselves are intrinsically "public",

Unless you change their permissions, right?

> giving one proxy roles allows anyone who can visit the template (perhaps
> by editing a URL line manually, for instance), to execute them (e.g.,
> to reset the title on your folderish content object).

Indeed. So, you solve this by only giving 'View' on the script object to the 
roles that are allowed to edit content, right?

Now, the problem that stumps me is when you mix workflow into this equation.
Someone can only edit an object when it's in a certain workflow state, however, 
even with the script having it's 'View' roles twiddled, you could still use the 
method you described to edit content that was in _any_ state.

How would you solve or work around this problem?

cheers,

Chris