For the archives... I was trying to set a proxy role on a dtml method to 'Authenticated' to enable it to access image files in a subfolder which had its 'View' permission set to authenticated. eg. Folder A | |-- Display method (proxy=authenticated) |-- Data folder (view=authenticated) | |-- image file I kept getting security access errors with this arrangement. The reason was that the Display method used the html tag <img src="DataFolder/imagefile">. The proxy role authenticated the Display method (as expected), but the html <img> tag actually causes a second http request to access the 'src' file, and this second http request is not authenticated, thereby causing the security access error. ----- Original Message ----- From: "Jonathan Hobbs" <hobbs@magma.ca> To: "Geir Bækholt" <lists@elvix.com> Cc: "Zope mailinglist" <zope@zope.org> Sent: May 27, 2004 4:15 PM Subject: Re: [Zope] Basic Security question
From: "Geir Bækholt" <lists@elvix.com>
On Thu, 27 May 2004 11:09:46 -0400 GMT Jonathan Hobbs asked the Zope mailinglist about the following:
I thought I understood permissions and roles, but...
I have a folder ('Data') with the 'View' security role set to 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
When, as an 'anonymous' user, I try to access an object within the 'Data' folder the security popup window (enter your name/password) is displayed. This works as I expected it to.
I have created a dtml method called 'Display'. This test routine is hardcoded to display an object from the 'Data' folder. I have set the Proxy role for the Display method to "Authenticated". When, as an 'anonymous' user, I access the 'Display' method the security popup window appears?! Shouldn't the Proxy role assigned to the dtml method enable access to the object in the folder?
Is the 'Display'-method incidentally also located inside the Data folder? If that is the case, anon is still not allowed to access it, and proxy /no proxy will not matter.
No, the 'Display' dtml method and the 'Data' folder are both objects in the same, higher level folder
ie.
Folder A | |-- Display method |-- Data folder | |-- image file
where 'image file' is the object that 'Display' method is trying to access.
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )