Learning about ATFolder's security

22 March 2007   0 comments   Plone

Mind That Age!

This blog post is 11 years old! Most likely, its content is outdated. Especially if it's technical.

Powered by Fusion×

I just learned something interesting about ATFolders in Plone. For the non-Plone readers, an ATFolder is Plone's take on a normal Zope Folder but based on Archetypes instead. To begin with, Plone overrides the function manage_addFolder which means that if you do context.portal_url.getPortalObject().manage_addFolder(...) in Plone you get an ATFolder instead of a normal Folder. Fair enough.

The problem I had was that ATFolders override the manage_delObjects() function not only is it's security defined in the container, it also does a security check within. I don't know why but I'm sure there's a reason. What this means is that you can't use some_at_folder.manage_delObjects([...]) in External Methods and expect no Unauthorized errors.

I solved this security problem I had by instead creating a normal Zope folder by doing it this way instead:

portal_root = self.portal_url.getPortalObject()
adder = portal_root.manage_addProduct['OFSP'].manage_addFolder


Thank you for posting a comment

Your email will never ever be published

Related posts

Associative arrays 21 March 2007
Is peanut butter the proof that evolution doesn't happen? 29 March 2007
Related by Text:
__call__ folderish Zope objects 19 December 2004
Setting security declarations to Zope classes 02 February 2006
niceboolean() - converts what you say to what you mean 21 January 2005
Why Django and Grok matters 02 February 2008
When '_properties' gets stuck as a persistent attribute 01 October 2008