Joachim Werner writes:
I am trying to get into understanding the Zope security machinery (Zope 2.4), and it seems to not quite do things as expected:
I have a Folder hierarchy like this:
ROOT --FOLDER
- In ROOT I have a method "title" and the "index_html" method - I have a user "Charly" that has ther role "TitleViewer" in a user folder in FOLDER - the method "title" has View permissions linked to "TitleViewer" and "Manager" - the "index_html" method contains a string "<dtml-var title missing>"
Now I go to http://.../ROOT/FOLDER/index_html. My user is "Charly".
I would expect to see the title now, but I don't. If I remove the "missing" from the <dtml-var title>, I will get a key error for "title". That's as it should be:
Zope security had been strengthened to explicitly forbid access to objects outside the folder covered by the authenticating user folder.
The funny thing is: http://.../ROOT/FOLDER/title will work fine ... Indeed, funny. Should probably not happen. Are you sure, you get the "title" form root and not that from "FOLDER" (it has a "title" of its own).
Also, if the user is in the ROOT folder, everything works fine. But then I can't really do what I want, i.e. restrict permissions to the FOLDER folder .... That's to be expected, because then, the authenticating user folder covers the "title" method.
Dieter