Problem solved! In the case outlined below "this" will point somewhere else, probably to the DTMLMethod that contains the HTML code. By setting the magic variable "here" to self and using AUTHENTICATED_USER.has_permission('Permission', here) instead of AUTHENTICATED_USER.has_permission('Permission', this) it works! Thanks for the nonexistent support. ;-) Well, explaining the problem to somebody else helps sometimes even if they have no clue what you are talking about, so... :-) Still no luck with the strange refresh problems though... Best Regards Lennart Regebro Torped Strategi och Kommunikation AB ----- Original Message ----- From: "Lennart Regebro" <lennart@torped.se> To: <zope-dev@zope.org> Sent: Saturday, June 01, 2002 5:16 PM Subject: [Zope-dev] Weird permission happenings: Is Manager magic?
This is the situation:
Zope 2.5.1/Python 2.1.3
I'm calling index_html on an object. Index_html in turn finds a template and calls "template.view(self)" on it. The template.view pushes itself on the context inbetween the object and the objects parent, thusly:
object.aq_parent thetemplateobjects object
It then calls "DTMLMethod.__call__( context, REQUEST, RESPONSE)" to render the DTMLMethod that contains the template itself, and thereby render the object.
This works very well, for all purposes except when it comes to security. In the DTMLMethod that contains the HTML I can for example do this: <dtml-var "AUTHENTICATED_USER.has_permission('View', this)">
And here comes the weird part:
If I am logged in as a user who has the Manager role, the result will be "1" of the above dtml-var, as expected. However, if I log in as a user who is not Manager, the result will be "None", no matter if the user has the permission or not!
I have create a role that has all permission in the root. All permissions are aqcuired over the whole site (which is a very small development site), and still the above returns "None"!