[Zope] User Authentication Question

[Kevin Dangoor]

----- Original Message -----
From: "James W. Howe" <jwh@allencreek.com>
To: <zope@zope.org>
Sent: Friday, February 18, 2000 2:24 PM
Subject: [Zope] User Authentication Question


> I have a folder which contains several objects, including subfolders.
Some
> of the subfolders I have locked down so that only a manager can do
anything
> with them.   However, if I log in as a non-manager to the management
> interface of the parent folder I these locked down folders appear in the
> contents list.  It seems to me that if any object isn't visible to the
> currently authenticated user, the object shouldn't be displayed in a
> contents list.  Is this a bug, a feature, or a misunderstanding on my part
> about how authentication and object visibility should work?

If you have the "access contents information" permission for a given object,
you can view the object IDs for every object contained within that object,
regardless of the permissions you have for the subobjects.

I think this makes sense, because the subobjects in a container belong to
that container, and a person with permissions for that container should be
aware that they are there. Maybe the person doesn't have "View" permission
on those subobjects, but maybe they do have some other permission.

Kevin