limiting view access to acl_users
Hi, I am relatively new to Zope and have a question regarding acl_user folders. I am trying to prevent 'view' access to an acl_users folder that I have created in a non-root area of my website. I have used the management interface Security tab to uncheck the 'Acquire permission settings' for the 'View' Permission and have enabled View for the Manager role only. I have taken the same actions for my root acl_users folder as well. When I browse to http://mysite/myfolder/acl_users, I am presented with a view of the index_html file contained within myfolder, with the <dtml-var title_or_id> 'output' indicating that it is 'User Folder'. Why is acl_users making use of the container's index_html? Is there a way to limit even View access to this folder? Thanks. -g
gf wrote:
Hi, I am relatively new to Zope and have a question regarding acl_user folders.
I am trying to prevent 'view' access to an acl_users folder that I have created in a non-root area of my website.
I have used the management interface Security tab to uncheck the 'Acquire permission settings' for the 'View' Permission and have enabled View for the Manager role only.
I have taken the same actions for my root acl_users folder as well.
When I browse to http://mysite/myfolder/acl_users, I am presented with a view of the index_html file contained within myfolder, with the <dtml-var title_or_id> 'output' indicating that it is 'User Folder'.
Why is acl_users making use of the container's index_html? Is there a way to limit even View access to this folder?
Thanks.
-g
gf, Thats normal zope acquisition. When you access a folder with no viewable object it goes *up* in search of something to acquire and index_html is implied. Authorization occurs when something is about to be published or accessed - not just typed in a URL. David
On 2/24/06, David <bluepaul@earthlink.net> wrote:
gf wrote:
Hi, I am relatively new to Zope and have a question regarding acl_user folders.
I am trying to prevent 'view' access to an acl_users folder that I have created in a non-root area of my website.
I have used the management interface Security tab to uncheck the 'Acquire permission settings' for the 'View' Permission and have enabled View for the Manager role only.
I have taken the same actions for my root acl_users folder as well.
When I browse to http://mysite/myfolder/acl_users, I am presented with a view of the index_html file contained within myfolder, with the <dtml-var title_or_id> 'output' indicating that it is 'User Folder'.
Why is acl_users making use of the container's index_html? Is there a way to limit even View access to this folder?
Thanks.
-g
gf,
Thats normal zope acquisition. When you access a folder with no viewable object it goes *up* in search of something to acquire and index_html is implied. Authorization occurs when something is about to be published or accessed - not just typed in a URL.
David
Hi David, I appreciate the clear explanation. That certainly makes sense. Does that mean, then, that it is not really possible to limit view access like I want without some 'extraordinary' measures? Is it possible to have this particular folder type acquire some other object instead of index_html? I suppose if I could redirect to another folder that would be sufficient. Thanks. -g
gf wrote:
On 2/24/06, David <bluepaul@earthlink.net> wrote:
gf wrote:
Hi, I am relatively new to Zope and have a question regarding acl_user folders.
I am trying to prevent 'view' access to an acl_users folder that I have created in a non-root area of my website.
I have used the management interface Security tab to uncheck the 'Acquire permission settings' for the 'View' Permission and have enabled View for the Manager role only.
I have taken the same actions for my root acl_users folder as well.
When I browse to http://mysite/myfolder/acl_users, I am presented with a view of the index_html file contained within myfolder, with the <dtml-var title_or_id> 'output' indicating that it is 'User Folder'.
Why is acl_users making use of the container's index_html? Is there a way to limit even View access to this folder?
Thanks.
-g
gf,
Thats normal zope acquisition. When you access a folder with no viewable object it goes *up* in search of something to acquire and index_html is implied. Authorization occurs when something is about to be published or accessed - not just typed in a URL.
David
Hi David, I appreciate the clear explanation. That certainly makes sense. Does that mean, then, that it is not really possible to limit view access like I want without some 'extraordinary' measures? Is it possible to have this particular folder type acquire some other object instead of index_html? I suppose if I could redirect to another folder that would be sufficient.
Thanks.
-g
gf, So far you haven't described how they "view" acl_users. Which is what I thought was your concern.. They are viewing the first (authenticated) viewable object which is one level above. Maybe you can better define your security concerns. What don't you want users to see? David
participants (2)
-
David -
gf