Hi Tilo, why dont you just set your view method an appropriate proxy role? This allows users to access view while they are not able to access the object directly. HTH Tino Wildenhain --On Samstag, 18. August 2001 17:06 +0200 Tilo Renz <tilo.renz@student.uni-ulm.de> wrote:
Hello,
I have two user groups (role student and role staff). In the following setup the method view shows Information about the XY-File stored as Properties of XY.pdf. Both roles should be allowed to view this information. _The students_must_not_be able to download XY.pdf._
My Setup: +-+-DTML-Method: view I +-Folder: data I +-File: XY.pdf
In order to make data/XY.pdf/view accessible to the students they must have the rights 'view' and 'Access contents information' on XY.pdf. Which means they also can download the file, which is unwanted.
Now I thought for solutions:
Variant A: Replace the view method by a python script show(id) which gets the Document-Id (eg XY.pdf) as Parameter and is called on the data-folder. Then setting up a proxy for show(id), so that students can call it, although they don't have any permissions on XY.pdf:
+-+-python-Script: show(id) I +-Folder: data I +-File: XY.pdf
I must call data/show?id=XY.pdf to get the information about XY Disadvantages: Not really object oriented. Needs writing a new show-script and rewriting other methods in the project because calls are now going to other URLs. More difficulties if show needs additional cgi-Parameters
Variant B: Setting up 2 Trees, data for the staff, public for students. Write a script that copies everything from data to public except the Files like XY.pdf, which should be 0-Byte copies, but with all properties. Disadvantages: Ugly redundancy. Costs disk-space and time for copying.
What do you think about my problem? What should I do? Have I overseen something and are there better solutions?
Thanks in advance.
Tilo
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )