Darran, I would create the users in a root level UserFolder and then assign the user local roles within their own forlder. This can be done programmatically, something like: def add_User(self, username=None,password=None,confirm=None,domains=[],roles=[]): ###### # let's create the user ###### self.acl_users._doAddUser(name=username,password=password,domains=domains,ro les=roles) ###### # now create the home directory for this member ###### self.members.manage_addFolder(id=username,title='',createPublic=0,createUser F=0) title="%s's Homepage" % username s="""<dtml-var standard_html_header> <h2><dtml-var title_or_id></h2> <p>This is the default page created for a Member, it has very little content, as you can see. <p>To see a better example of how Zope works look at the <a href="&dtml-SCRIPT_NAME;/zGold/QuickStart">QuickStart</a> documentation. <p>Also see the <a href="&dtml-SCRIPT_NAME;/zGold/Example">XML examples</a>. <p>Most of all have fun!. <dtml-var standard_html_footer>""" eval("self.members.%s.manage_addDTMLDocument(id='index_html',title=title,fil e=s)" % username) ###### # now set them as manager of this domain ###### eval("self.members.%s.manage_addLocalRoles(userid='%s',roles=['Manager'])" % (username,username)) return " " You might want to investigate alternatives to the eval bits though, could be a bit of a security problem. HTH Phil phil.harris@zope.co.uk -----Original Message----- From: Darran Edmundson <Darran.Edmundson@anu.edu.au> To: zope <zope@zope.org> Date: 14 February 2000 15:21 Subject: [Zope] Authenticating many users to manage only their own folders?

My first real foray into security ...

root People (define Admin role here) robert acl_users (robert,Admin) douglas acl_users (douglas,Admin) william acl_users (william,Admin) . .

I want to configure my site such that users can only edit their own property sheets. My naive way of accomplishing this is to create an Admin role in People's permissions that has management_screen access. I then add a UserFolder in each person's ZClass with them as the sole user (Admin role).

It works but there are problems with my naive approach:

1) It's cumbersome. I have to create a UserFolder and User for each person I add (though I guess I can do this programatically in my constructor). To create this, I need to allow UserFolder additions in my ObjectManager-derived class. Now the logged-in user also has UserFolders as an addable object ...

2) Users can see the acl_users folder in the management screen. They can delete it. And if I change Admin so that they can't "delete objects", they can't delete *any* objects, including instances of other objects they've themselves created in this folder.

It's 1:40am here in Oz and I'm shattered having taken the day off from my "real" job to make it a long weekend of Zoping. I'd love to awake in the morning to an email chorus of advice. This has got to be a common-enough scenario, authentication, not people skipping work to Zope ...

Cheers, Darran.

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )