Learning about ATFolder's security

22 March 2007   0 comments   Plone

Mind That Age!

This blog post is 11 years old! Most likely, its content is outdated. Especially if it's technical.

I just learned something interesting about ATFolders in Plone. For the non-Plone readers, an ATFolder is Plone's take on a normal Zope Folder but based on Archetypes instead. To begin with, Plone overrides the function manage_addFolder which means that if you do context.portal_url.getPortalObject().manage_addFolder(...) in Plone you get an ATFolder instead of a normal Folder. Fair enough.

The problem I had was that ATFolders override the manage_delObjects() function not only is it's security defined in the container, it also does a security check within. I don't know why but I'm sure there's a reason. What this means is that you can't use some_at_folder.manage_delObjects([...]) in External Methods and expect no Unauthorized errors.

I solved this security problem I had by instead creating a normal Zope folder by doing it this way instead:

portal_root = self.portal_url.getPortalObject()
adder = portal_root.manage_addProduct['OFSP'].manage_addFolder


Your email will never ever be published

Related posts

Associative arrays 21 March 2007
Is peanut butter the proof that evolution doesn't happen? 29 March 2007
Related by Text:
Be very careful with your add_header in Nginx! You might make your site insecure 11 February 2018
jQuery and Highslide JS 08 January 2008
I'm back! Peterbe.com has been renewed 05 June 2005
Anti-McCain propaganda videos 12 August 2008
I'm Prolog 01 May 2007