[Zope-dev] security question

[Tim McLaughlin]

It seems to me that a User should not get to keep their roles in the
acquired objects which are above the User Folder in which the user is
defined... However, that does not seem to be true according my testing.

This is what happens.  Imagine a tree like this
root-folder1-acl_users
    \folder2-object1


root has a role called 'User' with 'View' permissions (anonymous is
disabled) and acl_users has a user called joe.  joe can access objects in
folder2 according to the permissions set on the root by using acquisition
like this:
http://server/folder1/folder2/object1
joe cannot however, access them directly:
http://server/folder2/object1

Does this seem strange to anybody else, or have I just been working too
long?
_____________________________________________________
Tim McLaughlin
iterationZERO - www.iterationzero.com
703-481-2233