Anders Bruun Olsen wrote at 2005-5-6 18:19 +0200:
... security = ClassSecurityInfo() security.setDefaultAccess("deny") security.declareProtected("View Bookbase", "index_html") ... When the template tries to access container/title an access denied expection is raised. With VerboseSecurity I get this explanaition:
Unauthorized: The container has no security assertions. Access to 'title' of (Bookbase at /bookbase) denied.
What exactly am I missing here?
Up to Zope 2.8, you cannot protect access to objects of simple type (such the "title" attribute of type "string") in an easy way. Access to such attributes are dually protected: By the "Object Permission" (set via "security.declareObjectProtected") *and* the "setDefaultAccess". "setDefaultAccess" can in fact take dictionaries and callables as arguments. Read the Zope Developper Guide for the types available for "__allow_access_to_unprotected_subobjects__" and how they are interpreted. "setDefaultAccess" just causes its argument to be assigned to "__allow_acc...". -- Dieter