[Zope] User Authentication Question

James W. Howe jwh@allencreek.com
Fri, 18 Feb 2000 15:41:47 -0500 

At 03:28 PM 2/18/00 -0500, Kevin Dangoor wrote:
>----- Original Message -----
>From: "James W. Howe" <jwh@allencreek.com>
>To: <zope@zope.org>
>Sent: Friday, February 18, 2000 2:24 PM
>Subject: [Zope] User Authentication Question
>
> > I have a folder which contains several objects, including subfolders.  Some
> > of the subfolders I have locked down so that only a manager can do anything
> > with them.   However, if I log in as a non-manager to the management
> > interface of the parent folder these locked down folders appear in the
> > contents list. [...] Is this a bug, a feature, or a misunderstanding on 
> my part
> > about how authentication and object visibility should work?
>
>If you have the "access contents information" permission for a given object,
>you can view the object IDs for every object contained within that object,
>regardless of the permissions you have for the subobjects.
>
>I think this makes sense, because the subobjects in a container belong to
>that container, and a person with permissions for that container should be
>aware that they are there. Maybe the person doesn't have "View" permission
>on those subobjects, but maybe they do have some other permission.

I can accept that argument, but then I would ask if there is any way to get 
a "restricted" view?  Basically I want to set things up so a content 
manager only sees the content that they actually have access to.  For 
example, I have a news site.  I may have one role which grants the 
authority to create and maintain weekly "issues".  I want this user to be 
able to see existing issues, edit existing issues, etc.  I may have another 
role for managing classified ads.  I don't want the person working with the 
classifieds to have access to the issues, nor do I want them to even see 
them.  It's not so much a security thing as it is a focus thing.  The 
classified ad person only needs to see information relating to classifieds 
and nothing else.  Is there a way to get this kind of control in Zope as it 
currently exists, or do I need to write my own subclasses of ObjectManager 
to add this sort of capability?

Thanks.

James W. Howe				mailto:jwh@allencreek.com
Allen Creek Software, Inc.		pgpkey: http://ic.net/~jwh/pgpkey.html		
Ann Arbor, MI  48103