[Zope-dev] Help on Zope security needed ...
Dieter Maurer
dieter@handshake.de
Wed, 1 Aug 2001 20:22:33 +0200 (CEST)
Joachim Werner writes:
> I am trying to get into understanding the Zope security machinery (Zope
> 2.4), and it seems to not quite do things as expected:
>
> I have a Folder hierarchy like this:
>
> ROOT
> --FOLDER
>
>
> - In ROOT I have a method "title" and the "index_html" method
> - I have a user "Charly" that has ther role "TitleViewer" in a user folder
> in FOLDER
> - the method "title" has View permissions linked to "TitleViewer" and
> "Manager"
> - the "index_html" method contains a string "<dtml-var title missing>"
>
> Now I go to http://.../ROOT/FOLDER/index_html. My user is "Charly".
>
> I would expect to see the title now, but I don't. If I remove the "missing"
> from the <dtml-var title>, I will get a key error for "title".
That's as it should be:
Zope security had been strengthened to explicitly forbid access
to objects outside the folder covered by the authenticating
user folder.
> The funny thing is: http://.../ROOT/FOLDER/title will work fine ...
Indeed, funny. Should probably not happen. Are you
sure, you get the "title" form root and not that from "FOLDER"
(it has a "title" of its own).
> Also, if the user is in the ROOT folder, everything works fine. But then I
> can't really do what I want, i.e. restrict permissions to the FOLDER folder
> ....
That's to be expected, because then, the authenticating user folder
covers the "title" method.
Dieter