[Zope] DTML method's contents accessible but not viewable within aclass definition ? class definition ?

chas panda@skinnyhippo.com
Sun, 09 Apr 2000 12:26:47 +0900


>As a suggestion, you could make a switch in your index_html methods that
>your content method looks for.
>
>e.g., in index_html for MyZClass:
>
><dtml-let ok_to_display_content="1">
>do the content stuff
></dtml-let>
>
>and in content
>
><dtml-if ok_to_display_content>
>show your content
><dtml-else>
>You shouldn't be viewing this... (or perhaps you could call the parent
>or do a redirect here)
></dtml-if>

Nice idea Jim. 

>> I've been getting nowhere with the "Define Permissions" tab of
>> the 'content' DTML method in the ZClass definition - it's simply
>> not possible to disable the 'view' property.
>
>It's a bit of a kludge, but should easily get you the behavior you
>want...

Well, if it's coming down to kludges, I was initially playing
with writing this in the first line of the DTML method 'content' :

<dtml-if "URL[-7:]=='content'">
    <dtml-return err_page>
</dtml-if>

My only concern was that I was pretty sure somebody would be 
able to circumvent this using some sneaky query string or URL.

My other concern was that I didn't want to hack/kludge this
if I was overlooking something basic in DTML/Zope but if there
really isn't any alternative, then I guess this will do for 
now :(

This could also be coupled with your idea of a boolean property
to manually enable/disable it. Thank you again.

chas



>> Having spent the better part of the night getting nowhere with
>> this, I hope somebody can help.
>> 
>> Consider a DTML method (called 'content') which is part of
>> a ZClass as follows :
>> 
>> /Control_Panel
>>         /Products
>>                 /MyProduct
>>                         /MyZClass
>>                                 content [dtml method]
>> 
>> Is there no way to protect the DTML method so that it
>> cannot be accessed directly from instances of this ZClass ?
>> 
>> eg. if we create an instance of MyZClass in the Zope root :
>> 
>> /MyInstance
>> 
>> I don't want people to be able to call :
>>         http://Zope_server/MyInstance/content
>> 
>> But we would like other DTML documents/methods such as
>> http://Zope_server/MyInstance/index_html
>> to be able to access the contents using "<dtml-var content>"