Learning about ATFolder's security

22 March 2007   0 comments   Plone

Powered by Fusion×

I just learned something interesting about ATFolders in Plone. For the non-Plone readers, an ATFolder is Plone's take on a normal Zope Folder but based on Archetypes instead. To begin with, Plone overrides the function manage_addFolder which means that if you do context.portal_url.getPortalObject().manage_addFolder(...) in Plone you get an ATFolder instead of a normal Folder. Fair enough.

The problem I had was that ATFolders override the manage_delObjects() function not only is it's security defined in the container, it also does a security check within. I don't know why but I'm sure there's a reason. What this means is that you can't use some_at_folder.manage_delObjects([...]) in External Methods and expect no Unauthorized errors.

I solved this security problem I had by instead creating a normal Zope folder by doing it this way instead:

portal_root = self.portal_url.getPortalObject()
adder = portal_root.manage_addProduct['OFSP'].manage_addFolder


Your email will never ever be published

Related posts

Associative arrays 21 March 2007
Is peanut butter the proof that evolution doesn't happen? 29 March 2007