Dieter Maurer wrote:
This would be the case, would ZPublisher use the standard traversal procedure. But, it fact, it does not do that. Instead, it traverses to the URL addressed target disregarding any security restrictions,
I'm afraid this is incorrect. Create a folder called "hidden". Change the Roles->Permission mapping on this such that only Manager can do anything. Now create a Page Template called "unhidden" within "hidden". Change the Roles->Permission mapping on this such that Anonymous has "Access contents information" and "View". Now go to /hidden/unhidden in an unauthenticated browser... Maybe you have some patches in place which affect this, but a normal Zope server does not behave as you describe, and many people would be pretty disturbed if it did... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk