[Zope] Workaround for objectValues security problem?
andres@corrada.com
andres@corrada.com
Thu, 13 Jul 2000 14:59:07 -0400
On Thu, Jul 13, 2000 at 12:47:56PM -0400, Andres Corrada-Emmanuel wrote:
>
> The problem, as reported in a posting from Jerome Alet last week, is that the Anonymous
>user does not have permission to access the objectValues method. Giving the navigation
I should correct myself by saying that the objectValues method is not the
real problem here but the way the <dtml-in> tag is processed since I can
reproduce the problem with the following variant:
<dtml-let rootFolders="PARENTS[-1].objectValues('Folder')">
<dtml-in rootFolders>
.
.
.
and the DTML Method that includes this code works fine called directly. But
fails when called within another Document or Method by saying that
Anonymous is not authorized to look at "rootFolders". The failure occurs in
lib/python/DocumentTemplate/DT_In.py in the function "renderwob".
I've looked at the code but it isn't easy to figure out what is going on.
------------------------------------------------------
Andres Corrada-Emmanuel Email: andres@corrada.com
------------------------------------------------------