Acquisition of the View permission
Hello, I am having trouble with folders and the view permission. Say I have a layout like: Users + |--index_html |--caleb + | |--Folder 1 | |--brian + |--Folder 2 Now, let's say that user 'caleb' owns the caleb folder, and user 'brian' owns the brian folder. If I set Folder 1 to be View'ed by owner/manager and without acquisition, shouldn't someone logged in as 'brian' be forbidden to see: /Users/caleb/Folder 1/ even if index_html is able to be View'ed by Anonymous? (because of the context it's being called from) Sincerely, Caleb Land (bokonon@rochester.rr.com)
On Tue, Mar 04, 2003 at 04:34:01PM -0500, Caleb Land wrote:
Hello,
I am having trouble with folders and the view permission. Say I have a layout like:
Users + |--index_html |--caleb + | |--Folder 1 | |--brian + |--Folder 2
Now, let's say that user 'caleb' owns the caleb folder, and user 'brian' owns the brian folder. If I set Folder 1 to be View'ed by owner/manager and without acquisition, shouldn't someone logged in as 'brian' be forbidden to see:
/Users/caleb/Folder 1/
even if index_html is able to be View'ed by Anonymous? (because of the context it's being called from)
I just re-read the Zope Book chapter on security, and I think I know what's wrong. The index_html ZPT is executing with the permissions of the ZPT itself, right? If that's the case, then what would be a good way to achieve my original goal? (restricting access to an acquired source based on context (in this case index_html)) Sincerely, Caleb Land (bokonon@rochester.rr.com)
At 02:39 PM 3/4/2003, Caleb Land wrote:
If that's the case, then what would be a good way to achieve my original goal? (restricting access to an acquired source based on context (in this case index_html))
If you want objects to acquire security settings from their container, use the Acquire Permission Settings option in the object's Security tab. More often than not, this is a good default practice, as it means any changes to container settings propagate to their member objects. HTH, Dylan
Caleb Land wrote at 2003-3-4 17:39 -0500:
... If that's the case, then what would be a good way to achieve my original goal? (restricting access to an acquired source based on context (in this case index_html))
???? You told us that "index_html" must be viewable (you did not tell us why). If this is the case, you can protect the objects "index_html" accesses doing its work and thus get context sensitive protection. You would probably control the "Access contents information" for this purpose. Dieter
participants (3)
-
Caleb Land -
Dieter Maurer -
Dylan Reinhardt