[Zope3-Users] Security in Code, example, why does this work?
Reinhold Strobl
reinhold.strobl at gmx.net
Sun Apr 9 09:21:55 EDT 2006
Hi,
I am currently dealing with security and I found a "strange" behaviour of Zope.
Ok, I will some up it in short:
I have defined the following components:
1. A view component, which I have registered in the following way:
<browser:page
for="*"
name="test3.html"
class="bookapp.mc.Mc"
template="a.pt"
permission="zope.Public"
>
</browser:page>
So, there is a template a.pt, which calls a method of the class bookapp.mc.Mc
2. The base class of the view has got a mehtod, which is called from the
template. And the method looks like the following:
ut = zapi.getUtility(IBookstore)
ret = ut.test3()
So the method of the base class of the view tries to get a Utility and then
calls a function of the utility
2. A utility, what it does, is not important, I have registered it the following
way:
<utility
provides=".interfaces.IBookstore"
factory=".bookstore.Bookstore"
permission="zope.ManageContent"
/>
Now the important part: I have openend ZMI and do NOT login. And then I call the
view, which itself calls the utility and everything was o.k. But the problem was
I was not logged in, but the utility requires the permission
"zope.ManageContent". Why does it work??? Later I tried it with a content
component, and then I got a unauthorized exception.
So can code always access everything, or not?
Thanks a lot for your replies in advance!
More information about the Zope3-users
mailing list