zope_security_observations
by
Jörg Baach
—
last modified
Feb 16, 2006 10:19 AM
Findings about zopes security mechanism
* You can raise a string "Unauthorized" to create a 401 Error
* The user you get via sm.getUser reflects the login/password passed
by the browser, not the
user actually needed - that means that a script can be accessible
by 'view', and still can raise
an 401 from inside
* The security declarations are made within the class of the
objects, usually on the instances
as well as on methods - via security.declareProtected
Questions:
* Whats the purpose of __ac_permissions, as found in PropertyTools