[Zope] "private" Yihaw folders and yihaw_latest method.

29 Sep 2000 15:06:17 +0100

Hello,

i have a security/viewing concern.

I have some Yihaw folders who are not public. I removed the "view" permission 
on the folder, and trying to get in call the authentication windows. Fine.

On my main page, i have the whatsnew, latest and toplevel methods with the 
skip_unauthorized option within the toplevel dtml-in.

If i only have the "view" permission off, the yihaw folder and subfolders are still 
listed on the toplevel method.
If i remove also the "access content" on the yihaw folder , no more listing on 
toplevel. Fine.

But, when i do that, the "latest" method raise the authentication window, and 
even a manager role fails, it's an autorisation problem on the Catalog.

Any idea for solving that ?
Thanks in advance.

********* TRACEBACK *********
Unauthorized
You are not authorized to access approved. 
[... SKIP ...]

  File /zope/2-1-6-
clean/lib/python/DocumentTemplate/DT_In.py, line 611, in 
renderwb
    (Object: 
Catalog(bobobase_modification_time=ZopeTime()-14,
      bobobase_modification_time_usage='range:min',
      sort_on='bobobase_modification_time',
      sort_order='reverse'))
  File /zope/2-1-6-
clean/lib/python/DocumentTemplate/DT_With.py, line 148, 
in render
    (Object: Catalog.getobject(data_record_id_))
  File /zope/2-1-6-
clean/lib/python/DocumentTemplate/DT_Util.py, line 329, 
in eval
    (Object: _.has_key('approved') and approved or not 
_.has_key('approved'))
    (Info: approved)
Unauthorized: (see above)

--
Didier Georgieff
DDAF du Bas-Rhin - Cellule SIG 
2, rue des Mineurs 67070 Strasbourg Cedex
tél : 03.88.25.20.33 - fax : 03.88.25.20.01
email : didier.georgieff@agriculture.gouv.fr
SIT du Bas-Rhin : http://www.bas-rhin.sit.gouv.fr
GéoWeb http://sertit10.u-strasbg.fr