[Zope] Permissions / System design (zope Newbie)

[Tilo Renz]

Hello,

I have two user groups (role student and role staff). In the following setup the method view shows Information about the XY-File stored as Properties of XY.pdf. Both roles should be allowed to view this information. _The students_must_not_be able to download XY.pdf._

My Setup:
+-+-DTML-Method: view
  I
  +-Folder: data
    I
    +-File: XY.pdf

In order to make data/XY.pdf/view accessible to the students they must have the rights 'view' and 'Access contents information' on XY.pdf. Which means they also can download the file, which is unwanted.

Now I thought for solutions:

Variant A:
Replace the view method by a python script show(id) which gets the Document-Id (eg XY.pdf) as Parameter and is called on the data-folder. Then setting up a proxy for show(id), so that students can call it, although they don't have any permissions on XY.pdf:

+-+-python-Script: show(id)
  I
  +-Folder: data
    I
    +-File: XY.pdf

I must call data/show?id=XY.pdf to get the information about XY
Disadvantages: Not really object oriented. Needs writing a new show-script and rewriting other methods in the project because calls are now going to other URLs. More difficulties if show needs additional cgi-Parameters

Variant B:
Setting up 2 Trees, data for the staff, public for students. Write a script that copies everything from data to public except the Files like XY.pdf, which should be 0-Byte copies, but with all properties.
Disadvantages: Ugly redundancy. Costs disk-space and time for copying.


What do you think about my problem? What should I do? Have I overseen something and are there better solutions?

Thanks in advance.

Tilo