Hi. Thanks for your response. Am 12-Apr-00 schrieb Itamar Shtull-Trauring:
resolve_url uses the exact same publishing machinery as calling a URL through the web; it does _not_ bypass the security machinery. If you do not have enough privledge to access to an object, then you will get an Unauthorized, just like when you call it through the web.
Additionally, if the object does not have an index_html, it may acquire it - so you also have to make sure that the index_html it might acquire is viewable by the user you're running as.
I *did* test this with several users, including a top-level defined user with Manager role and priviledges. The result was absolutely the same. This was what raised my question. Since the Manager role is granted all permissions, I *am* somewhat confused. I thought: maybe I have made a mistake within my objects somewhere and tried to use "resolve_url()" on DTML-Documents and tried to access their 'id' attribute with: <dtml-in "Catalog(meta_type='DTML Document')"> <dtml-with "resolve_url(getpath(data_record_id_), REQUEST)"> <dmtl-var id> </dtml-with> </dtml-in> which also raised the "unauthorised" Exception. As I have stated above: this does not happen when I do use the Superuser-account. I created some workaround (ugly, ugly) just to handle this. I am not quite happy with this, because I do need the ZCatalog object traversal desperately. Any further hints are absolutely welcome. Regards, Ingo ------------------------------------------