Chris Withers wrote at 2005-2-10 10:31 +0000:
Patrick Ulmer wrote:
But if I only have a DTML-Document without <dtml-in> only the security property DTML-Cokument.View is necessary. Is that correct?
No, you need to actually be able to get to your dtml document in the first place. That means the user must somehow get the "Access contents information" permission on its container, and its container's container, and so on, up to the root of your Zope instance...
This would be the case, would ZPublisher use the standard traversal procedure. But, it fact, it does not do that. Instead, it traverses to the URL addressed target disregarding any security restrictions, determines which roles the target needs and than looks up again for a user folder that can authenticate a user with the necessary roles. Thus, the ZPublisher allows you to access objects despite the fact that you cannot access all ancestors of such an object. -- Dieter