gf wrote:

On 2/24/06, David <bluepaul@earthlink.net> wrote:

gf wrote:

Hi,
I am relatively new to Zope and have a question regarding acl_user folders.

I am trying to prevent 'view' access to an acl_users folder that I
have created in a non-root area of my website.

I have used the management interface Security tab to uncheck the
'Acquire permission settings' for the 'View' Permission and have
enabled View for the Manager role only.

I have taken the same actions for my root acl_users folder as well.

When I browse to http://mysite/myfolder/acl_users, I am presented with
a view of the index_html file contained within myfolder, with the
<dtml-var title_or_id> 'output' indicating that it is 'User Folder'.

Why is acl_users making use of the container's index_html? Is there a
way to limit even View access to this folder?

Thanks.

-g

gf,

Thats normal zope acquisition.  When you access a folder with no
viewable object it goes *up* in search of something to acquire and
index_html is implied.  Authorization occurs when something is about to
be published or accessed - not just typed in a URL.

David


Hi David,
I appreciate the clear explanation. That certainly makes sense.
Does that mean, then, that it is not really possible to limit view
access like I want without some 'extraordinary' measures? Is it
possible to have this particular folder type acquire some other object
instead of index_html? I suppose if I could redirect to another folder
that would be sufficient.

Thanks.

-g

gf,

So far you haven't described how they "view" acl_users. Which is what I thought was your concern.. They are viewing the first (authenticated) viewable object which is one level above.

Maybe you can better define your security concerns. What don't you want users to see?

David