--- In zope@egroups.com, chas <panda@s...> wrote:

Sorry to bother you but why should it be best done at the product level if all the product does is what can be done in one line below ? I find this manual setting very useful.

For a low-security site, manual setting should still be fine. Tweaking into the traverse machinery actually is not too hard, you can look at the BaseRequest.py file and HTTPRequest.py files. Pay attention particularly to the assignment of the _auth variable. I have played with switching _auth on the fly and it worked. :) But of course I won't recommend everyone to modify their Zope codes just like that. Evan's argument was: manual setting may not be compatible with future releases of Zope, so it's better to make things into a product. Which I agree. But as it turned out, the SiteAcess product itself actually broke with the new release of Zope. :) So even with products one still has to be careful with Zope release changes. For higher security sites, the manual setting is not good enough, since people that know the exact location of DTML/ZSQL methods can still call them up directly. (Same as with images, but images usually are not a high security concern.) The thing to do seems to be: whenever there is a HTTPRequest transaction, tweak the _auth variable in the constructor of HTTPRequest object (or even earlier in the environmental variables!) to your generic user. This will make all web objects secure. I still haven't looked into the "clean" flag and the "sane_enviroment()" of HTTPRequest.py. Anyway, if I have time I'll make a product... it's just not high on my priority of things. :) regards, Hung Jung ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com