Thanks, your points about "Access contents information" vs "View" enlightened me enough to fix my problems. Florent Stuart Bishop <zen@shangri-la.dropbear.id.au> wrote:
On Sunday, May 12, 2002, at 01:27 AM, Florent Guillaume wrote:
With an object path /A/B/C where C has a local role allowing a user to view C but where B disallows acquisition of the View permission, the publisher correctly allows the user to see C.
However restrictedTraverse('/A/B/C') fails ("You are not allowed to access B in this context"). This is because restrictedTraverse checks the security (using "validate") at *every* step, and obviously the user is not allowed to see B. Is there a reason for this ? Why not simply validate only at the last step ?
Note that it doesn't check for the View permission though - it checks for the 'Access contents information' permission. If this fails, it fails because the site manager has explicitly said that a group of users is not allowed to access any objects below this point.
-- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com