Dieter Maurer schrieb:
Andre Schubert writes:
i have a little security problem. let me explain.
root/ index_html foo/ acl_users/ bar/ Image
I have a image which could only be view by users with a role named foobar, these users are in acl_users. If i access the image through the web a must authenticate myself for the first time, after that everything works well. But if i want to access the Image via <dtml-var Image> from the index_html in the root-folder a got no access. I expect, you get hit by a (in my view stupid) security feature:
When you are not authorized to access an object, then you should not even see that it is there.
This is achieved by turning "Unauthorized" exceptions into "KeyError" exceptions under some circumstances.
The effect is similar to what you describe (at least, if I interpret "got no access" as a "NameError" or "KeyError" for "Image").
If, however, you keep getting "Unauthorized" exceptions (i.e. login requests), then the reason may be that your initial request did not get authenticated by "foo/acl_users" but by a higher level "acl_users" that does not assign the correct role to the user.
This is exactly what i want. I want a user wich has to login with foo/acl_users. And this user should be allowed to view the Image trough dtml. Have i missunderstand restrictedTraverse, which says that a object will be accessed by traversing a path and checking permissions for each object. as
Dieter
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )