Discussion:
[Zope3-Users] ForbiddenAttribute with defaultView directive
hass
2009-09-12 12:46:18 UTC
Permalink
Hi,

I have a ZCML declaration like this for the "StudentDisplay" view:

<z3c:pagelet
for="..IStudent"
name = "top.html"
class=".StudentDisplay"
permission = "student.edit"
layer = ...
/>

<browser:defaultView
for = "..IStudent"
name = "top.html"
layer = ...
/>

In the "StudentDisplay" view I have the following line:

orders = [ purchase.order for purchase in self.context['orders'] ]

Now, the "purchase" object does not have any security declarations (with
the "require" directive) and the above line(which is accessing the
"order" attribute ) should produce a ForbiddenAttribute. However, there
is something which I don't get.

when I access the "student_object/top.html" page, I do not get any
errors and "can" access the "order "attribute of the purchase object. On
the other hand when I don't explicitly enter the full URL and want to
take advantage of the defaultView directive ( when accessing
"student_object/" ), there is a ForbiddenAttribute.

The user is the same and has the exact same permissions.
Can anyone please explain to me this behavior.
Thankyou!
Hass
Markus Kemmerling
2009-09-12 15:05:49 UTC
Permalink
Hass,

Do you use some version of z3c.layer that's registering standard Zope
traversers as trusted adapters, like, e.g:

<adapter
for="zope.container.interfaces.IItemContainer
z3c.layer.trusted.ITrustedBrowserLayer"
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.container.traversal.ItemTraverser"
permission="zope.Public"
trusted="True"
/>

In this case, if you traverse to 'student_object/top.html' the
ItemTraverser will try to lookup the view:

view = queryMultiAdapter((self.context, request), name=name)

Since the traverser is trusted the view will be looked up with a non-
security-proxied purchase object. As a result the security
declarations of your Purchase class will be ineffective.

Try to traverse to 'student_object/@@top.html', i.e. explicitely using
the 'view' namespace instead of the ItemTraverser's fallback to a view
lookup. If I'm right, this will correctly raise a ForbiddenAttribute.

In any case: If you get a ForbiddenAttribute the user permissions are
not the problem. In the latter case you would get an Unauthorized
exception.

Regards,
Markus Kemmerling
Post by hass
Hi,
<z3c:pagelet
for="..IStudent"
name = "top.html"
class=".StudentDisplay"
permission = "student.edit"
layer = ...
/>
<browser:defaultView
for = "..IStudent"
name = "top.html"
layer = ...
/>
orders = [ purchase.order for purchase in self.context['orders'] ]
Now, the "purchase" object does not have any security declarations (with
the "require" directive) and the above line(which is accessing the
"order" attribute ) should produce a ForbiddenAttribute. However, there
is something which I don't get.
when I access the "student_object/top.html" page, I do not get any
errors and "can" access the "order "attribute of the purchase
object. On
the other hand when I don't explicitly enter the full URL and want to
take advantage of the defaultView directive ( when accessing
"student_object/" ), there is a ForbiddenAttribute.
The user is the same and has the exact same permissions.
Can anyone please explain to me this behavior.
Thankyou!
Hass
_______________________________________________
Zope3-users mailing list
https://mail.zope.org/mailman/listinfo/zope3-users
Loading...