Dieter Maurer wrote:
When you change it, you will loose user folders in subsites (which are quite essential).
Why? all you'd need to do is open up "access contents information" so anonymous users can traverse to the user folder...
What role-to-permissions mappings do you set so that no-one can access a particular object's contents, once they know its id?
In general, this is a very difficult questions.
* The concrete permission depends on the object type. It is the permission that is defined with "declareObjectProtected(...)".
Usually it is "Access contents information", but templates use "View" instead and other objects may choose to use a different permission.
* Even when the "object permission" is not granted, special methods (protected by whatever permission) may still be able to access an object's content.
Thus, you would need to revoke grants to such permissions as well.
Hmmm, a highly unsatisfactory answer :-( Not your fault Dieter, but I really feel there should be some obvious, simple way to say "no, you can't access anything in this folder or below unless you have permission X" cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk