[Zope] Security

[Gregor]

After over a week, I'm obviously still not understanding something about Zope
security.  Every time I think I've got it, something fails to work as I
expect.


What I am trying to do (currently) is this:

Create a really simple member folder thingy (Place) that lets a person log in
and create generic DTML documents, as well as custom documents (Thing), in
their space.

As I understand it, the basic steps to do this are:

1. Create a new product (PlaceProduct).  Inside that, create a Z Class
(PlaceClass) with a meta-type "Place".  The Z Class has a base class of
"Object Manager", since I want it to hold stuff.    Set up a "Security" ==
"manage_access" view inside PlaceClass so I can assign my role later.

2. Back to the Product list, create another new product (ThingProduct).
Inside that, create a Z class (ThingClass) with a meta-type "Thing".  This has
some properties on it, but that is not important for the problem at hand.

3. Inside PlaceClass, set the subobjects to include "DTML Documents", "DTML
Methods", and "Thing".

4. At the top-level of Zope, create a new role called "Contrib".  Give it
these permissions (let me know if any are unnecessary):

Access Contents Information
Add Documents, Images, and Files
**Add Things**
Change DTML Documents
Change DTML Methods
Delete Objects
Manage Properties
View
View Management Screens

** emphasized

5. Set up a user at the top level, but assign it no roles there

6. Elsewhere in the hierarchy, create a "Place".  Inside this, I'll have to
give the user a local role of "Contrib".


Now, as I understand it, the user should be able to enter his
username/password to use the management interface for that Place, and should
be able to add DTML Documents, DTML Methods, and Things there, delete them,
edit their properties, etc.

Unfortunately, what actually happens is that the user can create and
manipulate DTML Documents and Methods just fine.  When the user tries to
create a Thing, a new password dialog pops up and refuses to accept the user's
name/password.

Have I missed a step somewhere, am I just completely off-base about the whole
idea, or is something broken?


On a completely unrelated topic, does ZServer seem to intermittently vapor
lock for anyone besides me?  I use the binary installation on Win98, and both
2.1.1 and 2.1.2 have done this.

I can't identify anything in particular that causes it.  Sometimes I'll just
come back to the browser that I was tinkering in (after working on something
else for an extended period), try to do something in the management interface,
and get no response.  Sometimes it'll happen when clicking a link (any link)
on the site itself.  When this happens I have to kill the DOS window that is
running the server, then restart Zope.

(I'm not running under Apache or anything like that; just running the
start.bat file and using localhost while I learn the program.)

- Gregor