[Zope-dev] Weird permission happenings: Is Manager magic?

[Lennart Regebro]

This is the situation:

Zope 2.5.1/Python 2.1.3

I'm calling index_html on an object. Index_html in turn finds a template and
calls "template.view(self)" on it. The template.view pushes itself on the
context inbetween the object and the objects parent, thusly:

object.aq_parent
thetemplateobjects
object

It then calls "DTMLMethod.__call__( context, REQUEST, RESPONSE)" to render
the DTMLMethod that contains the template itself, and thereby render the
object.

This works very well, for all purposes except when it comes to security. In
the DTMLMethod that contains the HTML I can for example do this:
<dtml-var "AUTHENTICATED_USER.has_permission('View', this)">

And here comes the weird part:

If I am logged in as a user who has the Manager role, the result will be "1"
of the above dtml-var, as expected. However, if I log in as a user who is
not Manager, the result will be "None", no matter if the user has the
permission or not!

I have create a role that has all permission in the root. All permissions
are aqcuired over the whole site (which is a very small development site),
and still the above returns "None"!

So, is there something magic about the Manager role?



Best Regards

Lennart Regebro
Torped Strategi och Kommunikation AB