[ZPT] not grokking tal/metal security

Florent Guillaume fg@nuxeo.com
Mon, 22 Apr 2002 16:21:36 +0000 (UTC) 

Does the object you're returning have any security assertion in its class,
like security.declareObjectProtected('View') ?

Florent

Kevin Littlejohn  <darius@obsidian.com.au> wrote:
> Hi all,
> 
> I've been trying to use metal and tal for a new project, and I'm being
> bitten by something that looks like a bug to me.  Can someone please
> explain this behaviour?
> 
> Two TAL pages:
> 
> macros:
> <html metal:define-macro="page">
> <head><title
> tal:content="python:here.getDetails()['company_name']">company
> Name</title></head>
> <body><b tal:content="user/getUserName">Username</b> accessing <b
> tal:content="python: here.getDetails()['company_name']">Company
> Name</b><br>
> <b>Links:</b><a href="/darius/">Home Page</a><br>
> <hr>
> <div metal:define-slot="main">Main Page</div></body></html>
> 
> index_html:
> <html metal:use-macro="here/macros/macros/page">
> <head><title>Welcome to Jet</title></head>
> <body>
> <div metal:fill-slot="main">
> Current Choices:
> <ul>
>     <li><a href="listUsers">List all Users</a></li>
> </ul>
> </div>
> </body>
> </html>
> 
> Now, if I refer to
> tal:content="python:here/getDetails()['company_name']" in index_html, it
> works - that method requires a certain set of privileges, which I have
> when I'm logged in.  But in macros, it seems that I've been demoted to
> an Anonymous User - if I try and load index_html as it is above when
> Anonymous User doesn't have "view" privileges, I get told "You are not
> allowed to access macros in this context".  If I try and fudge around
> that, I can pretty much verify that by the time I'm rendering the macro,
> I'm Anonymous User, instead of myself.
> 
> Am I doing something wrong?
> 
> I'm striking a similar, though different, problem with a line that
> reads:
> tal:content="python:here.customer(request.user_cid).getDetails()", where
> here.customer() returns a Customer object, which has a getDetails()
> method - by the time I'm calling the getDetails method, I'm Anonymous
> User again, even though the call to here.customer() is made as me.
> 
> Confused,
> KevinL
> -- 
> Internet techie                    Obsidian Consulting Group
> Phone: +613 9653 9364                    Fax: +613 9354 2681
> http://www.obsidian.com.au/           darius@obsidian.com.au
> 
> 
> 
> _______________________________________________
> ZPT mailing list
> ZPT@zope.org
> http://lists.zope.org/mailman/listinfo/zpt
> 


-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com