hi alex (and everyone else), i am seeing the *very same* thing on beta1, only difference being i am trying to use a SQL method stored in the unrestricted parent folder. all of a sudden i am getting an authorization prompt again. all this worked fine on alpha3. in my case the privileged user account is also specifically included in the parent folder acl_user list because i had problems on alpha3 where pictures pulled from that unrestricted parent folder wouldn't show and i got asked for authorization. which is logical, because at that time the parent folder only knew two accounts: the manager and the anonymous one, it didn't know who the hell this restricted user was ;) Jens Vagelpohl
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Alexander Staubo Sent: Tuesday, July 27, 1999 08:35 To: Zope Mailing List (E-mail) Subject: [Zope] Down-level user folder conflict
I have another interesting authorization failure problem (Zope 2.0.0b1).
Let's say I have folder called Restricted. Permissions for this folder is restricted to users of a specific privileged role called Editor. Inside this folder I also have a standard user folder with one such Editor user defined.
The problem arises when the user is viewing a document in the Restricted folder, and the document is referring to objects -- such as images through <img> tags -- from the _unrestricted_ part of the database. It'll give "Unauthorized" on these objects no matter what. Remember that these objects aren't restricted at all; the Anonymous role has full View access.
My suspicion is that if the browser passes an authentication header that does not match a valid user (known to the folder or any up-level folders through acquisition; in my case the whole idea is that the user folder is not visible from the part of the site that the browser passes an authentication header to), then Zope will not revert to the anonymous role, but will instead just block the user unconditionally.
If I move the user folder into the top-level folder, everything is groovy.
Sounds like a bug, anybody care to comment before I bung it in the Collector?
-- Alexander Staubo http://www.mop.no/~alex/ "QED?" said Russell. "It's Latin," said Morgan. "It means, So there you bastard." --Robert Rankin, _Nostramadus Ate My Hamster_
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(To receive general Zope announcements, see: http://www.zope.org/mailman/listinfo/zope-announce
For developer-specific issues, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )