Dieter, It is possible, unless you take the "Authenticated" role off. (by unchecking in security) I thought as you did, it should not be possible. Here is bit from a previous post I did: ========================== For example I have this folder structure: /dev /dev/test/dir1 /dev/test/dir2 /dev/1stbyte /dev/1stbyte/folder1 /dev/1stbyte/folder2 /dev/tsport /dev/tsport/db /dev/tsport/db-01 /dev/tsport/db-02 --- Each of the lower subfolders (dir1, db, folder1 and 2) have their own acl_users and user accounts --- If I type in /dev/test/dir1 and consequently authenticate, I get in normally. Then if I continue and change the url to: /dev/test/dir1/dev/tsport/manage I GET IN! All I need to do is add a new user to /dev/test/dir1/dev/tsport/db/acl_users (which I can access) and I've got a user account! That sucks! ========================== This is not cool! I did post a bug report, but havnt heard anything yet. Malcolms workaround works, you just need to remove "Authenticated" role and add a custom one. I'd like to test Dario's solution, adding "non-acquiring" folders might be nice. But really, it should be fixed at the lowest level possible I would think. Greg On Wed, 9 Mar 2005 19:23:53 +0100, Dieter Maurer <dieter@handshake.de> wrote:
Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
The issue can be worked around more easily than this. It is only the magic "Authenticated" role which appears to suffer from this problem.
It should not be necessary:
A user should not be able to access any *protected* (!) object outside the subhierarchy governed by the user folder that authenticated the user.
But maybe, we have a bug (and "aq_inContextOf" does not work as expected).
-- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Greg Fischer 1st Byte Solutions http://www.1stbyte.com