[Zope] acessing parameters in a "helper class"
Dieter Maurer
dieter@handshake.de
Wed, 8 Nov 2000 21:58:33 +0100 (CET)
Max M writes:
> ....
> <dtml-in getAllComments>
> <i><dtml-var author></i><br>
> .....
> Traceback:
> ....
> Unauthorized: author
>
> ....
> def addComment(self, comment='', author='' , RESPONSE=None):
> "Adds a comment"
> self.comments.append(aComment(comment, author))
> self._p_changed = 1 # Trigger persistence
> RESPONSE.redirect('index_html')
> ....
> def getAllComments(self):
> "returns a list of all comments"
> return self.comments
Your "getAllComments" returns a list of bare (unwrapped)
objects. This removes any possibility to acquire permissions.
You should probably rewrite you "getAllComments" like this:
def getAllComments(self):
"returns a list of all comments"
r= []
for c in self.comments:
r.append(r.__of__(self))
This would require that "aComment" inherits from
"Acquisition.Implicit" (or "Explicit").
Furthermore, your "aComment" does not specify any security
rules. With the news Zope 2.2 security policy, this means
access is prohibited.
You may consider to provide security rules.
There is a nice document from Brian which explains your options.
Dieter