I too have a doubt about security stuff. It so happens that I have this setup rootfolder + myfolderobjects + inheritedstuff i have an user X in root folder. Roles are so that anonymous doesn't have permission for anything. Then, there is a user role, that is allowed some stuff, and i assign local role of User to X into Inheritedstuff. He now can see index_html. I proxy-role index_html to the User role so i can <dtml-var somestuff> that is into myfolderobjects, being somestuff a DTMLmethod. It works. X can access index_html which in turn includes somestuff from its parent folder, and I did not have to give him explicit rights to any of the objects into myfolderobjects BUT, if I try to <dtmlvar somesqlmethod>, it won't work. Note that the User role does have permission to run SQL methods. That's in my point of view, a mistake in Zope's security policy. If i proxy-role a document or method, i should be able to acquire anything specified into it, from its parent hierarchy. Please help or tip. Thanks =) Seb Bacon wrote:

Does Zope security provide a way of restricting what objects are listed to an authenticated user inside the Zope 'manage' interface? I'm getting my head all twisted up over this security / proxy roles /local roles lark.

Thanks, seb

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )

-- Manuel Amador (Rudd-O)