Tres Seaver wrote:
This is *by design*, Chris:
Well, that may be, but what if the design is wrong? ;-)
it allows for "customers who have customers" to set up access to subsites, without requiring that users who can see the subsite to have *any* privileges at the layers above. In Unixy terms, this is like making the parent directories "a+x" (they can be traversed) without requiring that they be "a+r" (readable).
Okay, but what role-to-permissions mappings do you set so that no-one can access a particular object's contents, once they know its id? (ie: o-x)
FWIW, Zope3 allows this choice to be pluggable, because traversal is governed by view components, which are configured by default to check access.
Well, this does beg the question: is this how restrictedTraverse works? If not, then why isn't restrictedTraverse used? cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk