On Tue, 2003-09-09 at 07:59, nwingfield@che-llp.com wrote:
In this situation, I do not wish for local roles to be acquired from above. In other words, I don't want Joe to acquire the local role of 'Viewer' when attempting to look at Sam's stuff.
OK. That's easy enough to specify.
Because Zope makes the bold assertion that security should always get more permissive the deeper one traverses the object hierarchy,
It does? Maybe we have different definitions of "deeper" but I think that standard practice is exactly the opposite of what you describe.
is there no way to do this short of hacking the 'getRolesInContext()' method?
Sure. Use security assertions in your product code to limit viewing-related privileges to owner and manager by default. Unless I'm grossly misunderstanding the question, you should be able to accomplish everything you need right in your product code. Check out this link for more info on security assertions. http://zope.org/Members/mcdonc/PDG/chap5zdg.stx HTH, Dylan