It seems to me that a User should not get to keep their roles in the acquired objects which are above the User Folder in which the user is defined... However, that does not seem to be true according my testing. This is what happens. Imagine a tree like this root-folder1-acl_users \folder2-object1 root has a role called 'User' with 'View' permissions (anonymous is disabled) and acl_users has a user called joe. joe can access objects in folder2 according to the permissions set on the root by using acquisition like this: http://server/folder1/folder2/object1 joe cannot however, access them directly: http://server/folder2/object1 Does this seem strange to anybody else, or have I just been working too long? _____________________________________________________ Tim McLaughlin iterationZERO - www.iterationzero.com 703-481-2233
Tim McLaughlin wrote:
root has a role called 'User' with 'View' permissions (anonymous is disabled) and acl_users has a user called joe. joe can access objects in folder2 according to the permissions set on the root by using acquisition like this: http://server/folder1/folder2/object1 joe cannot however, access them directly: http://server/folder2/object1
Does this seem strange to anybody else, or have I just been working too long?
What version of Zope? What OS? Are you using a user folder other than the "stock" acl_users? Shane
participants (2)
-
Shane Hathaway -
Tim McLaughlin