hello,

I've tried what you said

when "standard_html_header" and "standard_html_footer" are owned by "dev",

it work with "Access contents information" permission set for manager role.

I think, it's because of aquisition of DTML Method owned by root.

Am i right ?

I new to Zope, and I want to learn a lot about security.

If you have exercices like this one, i appreciate it.

(i need also grammar correction, isn't it ;)

Xavier

Today I tried on my Zope Zope 2.3.2 (source release, python 1.5.2, linux2)

what I did a hundred times succesfully before:

1. created a folder "production"

2. set not to acquire the "View" permission for this folder

3. created a role "developer"

4. created a user "dev" with role developer

5. changed security settings so that developers can "View"

6. created two dtml-methods "standard_html_header" and

"standad_html_footer"

inside the new folder

7. logged in as dev and got the error message:

Unauthorized

You are not authorized to access standard_html_header

Strange enough, this only occurs with standard_html_header and

standard_html_footer.

I also created a dtml-method called index_html and could see it.