----- Original Message ----- From: "James W. Howe" <jwh@allencreek.com> To: <zope@zope.org> Sent: Friday, February 18, 2000 2:24 PM Subject: [Zope] User Authentication Question
I have a folder which contains several objects, including subfolders. Some of the subfolders I have locked down so that only a manager can do anything with them. However, if I log in as a non-manager to the management interface of the parent folder I these locked down folders appear in the contents list. It seems to me that if any object isn't visible to the currently authenticated user, the object shouldn't be displayed in a contents list. Is this a bug, a feature, or a misunderstanding on my part about how authentication and object visibility should work?
If you have the "access contents information" permission for a given object, you can view the object IDs for every object contained within that object, regardless of the permissions you have for the subobjects. I think this makes sense, because the subobjects in a container belong to that container, and a person with permissions for that container should be aware that they are there. Maybe the person doesn't have "View" permission on those subobjects, but maybe they do have some other permission. Kevin