Gilles Lavaux writes:
Maybe the answer is easy, but I can not find the solution:(and maybe I was completly wrong about permissions)
I have a folder containing SQLs and methods: /project and a subfolder who has his access and view security setting disable for anonymous: /project/protected
When anonymous access /project/index_html he see the page : that's good. 1)When anonymous access /project/protected/index_html he also see the page. Is it normal?? ( the index_html is of course only inside the /project )
2)If anonymous access /project/protected/some_method_with_sql and the result is empty, he see the result page!That's strange. But if the result is not empty, he get the authentication box : that's good.
It's zope2.2.1 The security system does not use the full acquisition context but only the containment. This is a security feature to prevent a user with partial management rights in a subfolder to affect permissions for objects outside its area.
I think (am not sure!) that in your case, the "protected" context is not used as your objects are in fact outside "protected". Dieter