[Zope] Folder visibility

J. Cameron Cooper jccooper@rice.edu
Mon, 06 Aug 2001 08:52:08 -0500


>
>
>If I give FolderViewer access to Client1, then can they still not
>just change the url to /Client2 and because access it; Since both
>folders have access for FolderViewer and the acutal person logging 
>on has a local role of FolderViewer.
>
>It seems like I have to create a FolderViewer1 for Client1 and 
>FolderViewer2 for Client2.
>
I'd try to answer in French, but frankly I'd just be embarassing myself...

If Person1 has a local role of 'FolderViewer' in Folder1, but not in 
Folder2, he cannot do 'FolderViewer' things in Folder2, even through 
acquisition. At least, that's how it should work.

Security in Zope is an entirely local affair, and neither the client 
session state nor anything other than location matters. You only have 
the access of a local role in the object in which it was granted and its 
children. Not siblings, not ancestors, nothing else. Consider it like 
placing a user folder in a subfolder of root: users cannot authenticate 
at the root level or in other folders, only in the folder in which the 
user folder lives.

        --jcc
    (authenticated)