[Zope] How to get around non-propogating proxy roles, also security problem with zsql traversal?

[Brad Clements]

Zope 2.2.2 on linux

I have a web site where almost every page can only be viewed by 
authenticated (non anymous) users.

I want to create one page that anonymous viewers can see. But to 
create this page I want to reuse (not duplicate) existing dtml, so I gave 
this page a proxy role "PUBLIC" and gave that role view and access 
contents rights.

Unfortunately dtml methods called by this dtml document lose their 
proxy rights and revert back to anonymous, hence I get NameError and 
so forth from the called dtml methods.

1. Why is it that proxy roles don't propogate and accumulate when 
methods are called?

2. I'm actually using simple ZSQL traversal, like this:

mysite.com/MyFolder/MyZSQL/138348343/PublicInfo

PublicInfo is the DTML Doc with proxy role = PUBLIC.

MyZSQL is an SQL Method that doesn't appear to be viewable by 
anonymous. However when called using simple traversal shown above, 
the SQL method IS executed.

Is this a security bug? It seems that anonyous users can "call" an sql 
method using traversal even if security disallows anonymous View.


Brad Clements,                bkc@murkworks.com   (315)268-1000
http://www.murkworks.com                          (315)268-9812 Fax
netmeeting: ils://ils.murkworks.com               AOL-IM: BKClements