"Jay, Dylan" wrote:

I have a folder that has restricted access. In a parent folder I have a DTML method that accesses a property of the folder. A browser that has not been autheticated for viewing the folder can still view use the aquired method in the folder, ie they type

http://server.com/RestrictedFolder/parentMethod and it works!!!

This seems counter intuitive to me.

Me too. Note that this has nothing to do with acquisition. A Public method of the folder could also access a property of the folder.

Either you have access to a folder or you do not.

Well, there are many types of access. But I think it should be possible to disacble access to a folder's properties through the "Access contents information" permission.

Why is this the case and should it be? In any case how do I make sure users can not do the above unless authenticated?

This is a bug in the validation logic. The current rules allow access to objects that don't have __roles__ attributes and that are not acquired. The reason is that it is assumed that you have to have access to the container to get the object, but this is not always true. I will fix this today and check the fix in, so it will be available via the public CVS. The fix will also be in the next release. The fix will add a check for parent roles even if an object is not acquired. A possible work around is to use an expression and name the folder when you access properties to force access to the folder to be checked: <!--#var "theSecretFolder.aProperty"--> Jim -- Jim Fulton mailto:jim@digicool.com Python Powered! Technical Director (888) 344-4332 http://www.python.org Digital Creations http://www.digicool.com http://www.zope.org Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.