[Zope-dev] Re: Problems with Transparent Folder and Zope 2.3.3

Shane Hathaway shane@digicool.com
Mon, 25 Jun 2001 10:15:52 -0400


On Monday 25 June 2001 04:47, Chris Withers wrote:
> Shane Hathaway wrote:
> > Again, it doesn't allow layers from outside the portal_skins tool
> > because of security considerations, not performance considerations.
>
> Erm... I know I'm being dense, but coudl you explain these again?

That's alright.  Skins are chosen before authentication.  If we allowed 
skins outside the skins tool, people would expect security to apply (so 
that, for example, only certain users get to use certain skins).  But 
since skins are chosen before authentication, you can either ignore 
security or only allow anonymously accessible folders.

We chose to avoid the need for security checks in skin paths, since the 
other route would have yielded unexpected behavior (only anonymously 
accessible folders) and would have been slower.

BTW skins can't be chosen after authentication in the general sense so 
don't ask. :-)  You could make your own skins tool that chooses the path 
after auth, but either ZPublisher or your user folder would have to be 
patched to make it happen, but that's not an option for a release version 
of CMF.

All of this may change in future versions.

Shane