Hi, On Fri, Apr 20, 2001 at 09:05:50PM +0200, Dieter Maurer wrote:
I am not sure whether it was you with whom I discussed a similar problem?
No, I don't think so.
I could reproduce a problem when the user had not "Access Contents Information", but the "View" permission was not necessary.
Same for your problem (I am using ZopeCVS, about 10 days old):
"has_permission" requires "Access Contents Information" for its object attribute (a bug in my view), but no 'View' permission.
I've tried to give this permission on "mymethod" to anonymous users but without luck.
Jerome Alet writes:
.... <dtml-if "AUTHENTICATED_USER.has_permission('View', mymethod)"> ... but if I access the pages as an anonymous user then I've got an Unauthorized exception instead of not having the "Members only" link. Either some strange effect with your Zope version or:
maybe. I'll try to update ASAP.
* your "standard_html_xxx" is a DTML Document (! not method)
no it's a DTML method.
* your user is defined in a subfolder "acl_user", i.e. above "mymethod"
not the case.
then the additional check, that a user can not reach material outside the context of its user folder may hit you.
As a working solution I've given a proxy role of Manager to my standard_html_footer method: it works fine but I don't really understand what security problems may arise... bye, and thanks to all for the help. Jerome Alet