Thanks for the response Dieter...
Jonathan Hobbs wrote at 2004-5-27 11:09 -0400:
I thought I understood permissions and roles, but...
I have a folder ('Data') with the 'View' security role set to 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
When, as an 'anonymous' user, I try to access an object within the 'Data' folder the security popup window (enter your name/password) is displayed. This works as I expected it to.
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder?
What is the owner of this "DMTL Method"? It can at most do what its owner is allowed to do.
The dtml method ('Display') is owned by 'admin' (from acl_users). The folder ('Data') is also owned by 'admin'. I have already tried to set the Proxy role of the dtml method to 'Owner' and the 'View' permission setting of the folder to 'Owner', with no luck (still get the security popup window).
BTW, "VerboseSecurity" can help you to analyse difficult security problems. Use the CVS version (once Zope's CVS starts to work again).
We are running Zope 2.6.1, so I will try the VerboseSecurity product - thanks for the tip! Jonathan