By refering to 1.10 I did not intend to create the impression that I am very experienced. I am still just an average user and happy with that. But consider this use case: f1 (folder, acquisition of view permission disabled, and granted again to all roles except Anonymous) f1_index (dtml-method) f11 (folder) acl_users (user folder) user1 (user object with user defined 'student' role) index_html (dtml-method calling f1_index) when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will get the page, but in 2.7.8 you are not authorized. I have attached an export file with this setup. If you'd like to try, just give user1 a password of your liking and see for yourself. More importantly, however, how would one go about making available objects shared by many subfolders each with its own group of users? cb ----- Original Message ----- From: "Lennart Regebro" <regebro@gmail.com> To: "Kees de Brabander" <cj.de.brabander@hccnet.nl> Cc: "David" <bluepaul@earthlink.net>; "zope user list" <zope@zope.org> Sent: Saturday, February 11, 2006 12:09 PM Subject: Re: [Zope] Zope and roles and hierarchy On 2/11/06, Kees de Brabander <cj.de.brabander@hccnet.nl> wrote:
Unaware of any security risks I used this "feature" from zope 1.10.x on and regularly upgrading my applications I had no problems until zope 2.7.8
Admittedly, I didn't use 1.10, I only discovered Zope two months later, with 2.0.1. And I don't remember those details that far back. But at least in 2.4.0, this code was called when you did user.allowed(): [...] And hence, you can't have done this after Zope 2.4.0. So I still think you are talking about something else. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/