Quoting Toby Dickenson <tdickenson@geminidataloggers.com>:
On Thursday 19 Sep 2002 1:05 am, John K. Hohm wrote:
[snip]
No, that's not it at all. I want all authenticated users to have permissions to list the contents of the /auto folder, but I want a user to have permissions to the /auto/foo, /auto/bar, etc. folders and their contained items only if they have a role local to one of those folders.
From what I can see thats exactly the same as my example, assuming the top level folder is your new folderish product.
I suggest you create a new "list contents of top-level folder" permission, change your folderish product so that this permission controls the relevant methods, then grant this permission to everyone.
Although your assumption is wrong, your suggestion is excellent. :-) My folderish product is actually the sub-folder foo in /auto/foo.
As it happens I am assigning the local roles with a BasicUser modification by virtue of a user having a role whose name is related to the name of the folder, say foo_dogs or bar_dogs.
Thats cool.
Thanks, I think so, especially when following your suggestion. Creating a 'View MyProduct' permission and using declareObjectProtected lets me do what I want. Now I have the dogs role defined at /auto and assigned the 'View MyProduct' permission, but don't otherwise change the /auto permissions. The result is that only the users that get the 'dogs' role in the context of /auto/foo can see /auto/foo or anything in it, but once they have that role they can do everything with it and its contents based on what roles they have in /auto. Thanks for sticking with me on this one; it took a while for the proverbial light bulb over my head to flicker on.