Hello Dieter!
Zope security had been strengthened to explicitly forbid access to objects outside the folder covered by the authenticating user folder.
That's good in terms of security. But also extremely limiting. My idea was that I'd be able to say "All editors can edit stuff" and protect the corresponding methods with the "Edit stuff" permission. Then I'd assign the "Editor" role on a local basis, either using local roles or our Slave User Folder. So I could have an Editor that can edit stuff in some subfolders (where he is "Editor"), but not everywhere. With the limitations the security machinery seems to have, I'll have to do it the hard way: set up all users in the root folder and then create dozens or even hundreds of dedicated roles like "Add stuff to folder FOLDER" or "Add stuff to folder ROOT" ... This is ugly ... Isn't there any better way?
The funny thing is: http://.../ROOT/FOLDER/title will work fine ... Indeed, funny. Should probably not happen. Are you sure, you get the "title" form root and not that from "FOLDER" (it has a "title" of its own).
The "title" thing was a bad example, as there is a "title" attribute. In the real case it is not "title" but "managementButtonBar", so the naming issue is none. And I verified the thing again: It really works the way I described it ...
Also, if the user is in the ROOT folder, everything works fine. But then I can't really do what I want, i.e. restrict permissions to the FOLDER folder .... That's to be expected, because then, the authenticating user folder covers the "title" method.
I understand ... Cheers Joachim