On 24 Jan 2002, Leonardo Rochael Almeida wrote:
When you give a method one or more proxy roles, the user that can view/call it assumes these roles instead of his own. That means he has the permissions these proxy roles have, instead of the permissions his own roles would give him (which means proxy-roles can enhance as well as reduce permissions). This means proxy roles only work for that method that is being viewed/called (and other methods called from it as well),
Actually, I believe this is not true. My understanding is that the proxy is only good for the method it is on. If it calls another DTML method, that sub-DTML method runs with the original user's roles. I believe the same is true for called pythonscripts. Actually, writing that down calls forth a question. If you put a proxy role on a method to *reduce* priviledges, shouldn't the reduction apply to called methods even if an increase in permissions doesn't apply to called methods? Does it? --RDM