Hi Dieter, Dieter Maurer wrote:
When I remember right, you used a template to verify the behaviour you expect Zope to have.
But a standard template tries to access its client (in your setup the protected folder) to show its "title/id". And this fails, when the client does not grant "Access contents information" (in case "client" is a "Folder" as in your case).
I suggest, you try again with an "Image" object instead of a template or remove all references to "here" and "container" in your (Page) template.
Apologies, both you and Bart Hubbard, who pointed out the same reasoning, are completely correct. This feels like a pretty horrible security hole to me :-( What do other people think? cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk