[Zope-dev] Security Question

flynt flynt@gmx.ch
Fri, 23 Nov 2001 13:54:32 +0100


Andre Schubert wrote:
> 
> Hi all,
> 
> i have a little security problem.
> let me explain.
> 
> root/
>   index_html
>   foo/
>     acl_users/
>     bar/
>       Image
> 
> I have a image which could only be view by users with a role named
> foobar, these users are in acl_users.
> If i access the image through the web a must authenticate myself for the
> first time, after that everything works well.
> But if i want to access the Image via <dtml-var Image> from the
> index_html in the root-folder a got no access.
> After searching at Zope.org i tested with <dtml-var
> "restrictedTraverse('')"> but this doesnt works.
> How do i authenticate myself in foo if i access the folder via dtml.
> 
> Thanks as
> 
> P.S.: Sorry for my bad english
> 
>

Hi Andre

How about in index_html:

<dtml-with foo/bar>
   <dtml-var image>
</dtml-with>

and give a proxy role to the method (however I would not give a proxy
role to index_html but use a separate methode which then is
called/included in index_html).

(I think this question would fit better to the zope@zope.org mailing
list than to this one ;-)

Regards

--- Flynt