[ZPT] Re: Please help: No protection for PageTemplateFile!!

Evan Simpson evan@zope.com
Tue, 29 Jan 2002 12:02:19 -0500

Dirksen Lau wrote:
 > I want to shut off anonymous access to my class, but to my surprise,
 > instances of PageTemplateFile leak through the security check, even
 > the id of which starts with 'manage_'! Here's my class

Thanks for uncovering this.  There were some bad security declarations
in both Script.py and PageTemplateFile.py.  Here are the diffs:

<         ('View', ('__call__','','ZPythonScriptHTML_tryAction')),

<     security.declareObjectProtected('View')
<     security.declareProtected('View', '__call__')

(in other words, just delete those lines from those files)
These overrode any attempt to set security at the container level.


Evan @ Zope