A bit more exploring reveals that I can call absolute_url on Folder object or aquition path of Folder objects regardless of the fact that they all fail to aquire a view permission. However if I try to do the same on another ZPT or PythonScript etc, then I get the follwing error " <strong>Error Type: Unauthorized</strong><br> <strong>Error Value: You are not allowed to access doRegistration in this context</strong> " It seems that the security framework barfs to a traversal of anything else other than folders???

-----Original Message----- From: Jay, Dylan Sent: Tuesday, 3 December 2002 2:59 PM To: 'zope@zope.org' Subject: Permissions, ZPT and absolute_url

I'm having a bit of trouble with security and ZPT. I am locking down my site such that only the cookie login page has anonymous view permission. This page however is used with the VirtualHost monster so all the links off it have something like tal:attributes="here/reg/register.html/absolute_url".

Now from looking at the code absolute_url is a public method so shouldn't call be allowable without having to make register.html viewable to anonymous? Without ZPT proxy roles would be the answer but that isn't offer with ZPT :(

---- Dylan Jay mailto:djay@avaya.com Avaya Communication Tel: +61-2-9352-8642 Level 3, 123 Epping Road FAX: +61-2-9352 9224 Nth Ryde NSW 2113 Mobile: 0409 606 171 AUSTRALIA