Ok. This solves a long standing misconception on my part. Somehow I lived with the idea that the called object should have a proxy role and not the calling object. Stupid! Thanks. cb ----- Original Message ----- From: "Lennart Regebro" <regebro@gmail.com> To: "Kees de Brabander" <cj.de.brabander@hccnet.nl> Cc: "zope user list" <zope@zope.org> Sent: Saturday, February 11, 2006 2:25 PM Subject: Re: [Zope] Zope and roles and hierarchy On 2/11/06, Kees de Brabander <cj.de.brabander@hccnet.nl> wrote:
By refering to 1.10 I did not intend to create the impression that I am very experienced. I am still just an average user and happy with that. But consider this use case:
f1 (folder, acquisition of view permission disabled, and granted again to all roles except Anonymous) f1_index (dtml-method) f11 (folder) acl_users (user folder) user1 (user object with user defined 'student' role) index_html (dtml-method calling f1_index)
when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will get the page, but in 2.7.8 you are not authorized.
Ah, OK, you are not calling it directly. Yes, that may be one of the security holes that was patched up in 2.7.4 I think. The solution is easy: Give index_html a proxy role. In this case "Authenticated" is enough. f1_index itself if you call it directly will not be accessible, and that's how it has to be.