The only way to do this is to turn pages into agents, and with proxy roles, this is possible if your pages are DTML, but not with ZPT. There is a way to do this; create custom roles bound to particular types of behaviors. For example, create a role called 'renderer'; bind the 'View' permission bound to standard_html_header, etc. Then use proxy roles to make it so that your page 'foo_html' has a proxy role of 'renderer' -- this effectively means that your page is 'an agent that has permission to access resource standard_html_header' or something like that. Sean -----Original Message----- From: Ausum [mailto:augusto@artlover.com] Sent: Wednesday, December 19, 2001 10:39 PM To: zope@zope.org Subject: [Zope] How to restrict the rendering of public methods? Is it possible to restrict a method to be rendered only by another method? For example, what if we don't want "standard_html_header" to be rendered by itself? Currently, typing "(path)/standard_html_header", in example, renders the correspondant part of the page, because that method is already supossed to be permitted to view to all users, due the methods who would use it (like index_html) will inherit that permission. But, what if this turns out to be a security issue? Is it possible to turn all methods to be "system-callable-not-rendereable only", unless specified? Thanks in advance, Ausum _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )