[Zope-CMF] recursive permissions and folders

martin f krafft madduck@madduck.net
Sun, 25 May 2003 21:17:27 +0200 

--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I am a little at a loss here. I would like to provide a subhierarchy
/internal on my site, which is only accessible if the visitor holds
a specific role.

If i remove the 'View' permission for everyone else from that
folder, it seems to work because all child objects acquire
permissions settings from the parent.

But I have a problem: my site is managed by a workflow system, and
thus the 'View' permission is specific to every single object. I can
remove 'View' from /internal, and noone can view that folder or
documents contained in it, but when as visitor directly accesses
e.g. /internal/faq/document, access is granted.

I would have to keep /internal and all documents below it in the
'private' workflow state to maintain this security. Since I have
other Members with workflow change permissions, this is too much of
a risk as humans are well-known to err here and there...

Unix has the 'x' permission, and the following setting does exactly
what I want:

  drwxrwx---   Owner      Admins          /internal

Now the owner and anyone in the group Admins can do whatever they
want in /internal, but anyone else cannot access the directory.
Moreover, if there is a subdir:

  drw-rw-rw-   Owner      Admins          /internal/faq/document

still noone but the owner or the Admins could access that file.=20

Is something like this possible in Zope?

How else do people manage this requirement?

Thanks!

--=20
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
=20
keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html
get my key here: http://madduck.net/me/gpg/publickey
=20
eleventh law of acoustics:
  in a minimum-phase system there is an inextricable link between
  frequency response, phase response and transient response, as they
  are all merely transforms of one another. this combined with
  minimalization of open-loop errors in output amplifiers and correct
  compensation for non-linear passive crossover network loading can
  lead to a significant decrease in system resolution lost. however,
  of course, this all means jack when you listen to pink floyd.

--PEIAKu/WMn1b1Hv9
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+0RbHIgvIgzMMSnURAvgoAJ9zkh4zn4M7v/CRS+N+46AqqndN/QCg3K3O
kz3PUtd6UHA8u/IgIRS9p04=
=5mYY
-----END PGP SIGNATURE-----

--PEIAKu/WMn1b1Hv9--