Brad Clements writes:

1. Why is it that proxy roles don't propogate and accumulate when methods are called? I do not know exactly but suppose it is to reduce the danger of trojan horses.

It was changed with the new Zope 2.2 security policy.

2. I'm actually using simple ZSQL traversal, like this:

mysite.com/MyFolder/MyZSQL/138348343/PublicInfo

PublicInfo is the DTML Doc with proxy role = PUBLIC.

MyZSQL is an SQL Method that doesn't appear to be viewable by anonymous. However when called using simple traversal shown above, the SQL method IS executed.

Is this a security bug? It seems that anonyous users can "call" an sql method using traversal even if security disallows anonymous View. It is not the view permission that is relevant for Z SQL method use, but "Use database methods".

Nevertheless, I can imagine that it will nevertheless be possible to use the method, even if the permission is not granted. This is due to the way, the permission checking is implemented. The ZPublisher first locates the object to be accessed by URL traversal without any security checks (as it does not yet have any user information). After the object is located, it determines its protection and then walks back along the objects visited to find the object in order to find a user folder able to authenticate a user with sufficient privileges. Security restriction of these intermediate objects are only relevant if they were inherited by the final object. Thus, indeed, you may have found a security whole. Put it into the collector. Dieter