[Zope] Permissions question

Kevin Carlson khcarlso@bellsouth.net
Mon, 16 Dec 2002 10:34:36 -0500 

I am searching a catalog based on the following criteria:

I have the following folder structure:

Root Folder
  | - Folder 1
  | - Folder 2
        | - Folder 2.1
        | - Folder 2.2
  | - Folder 3
  | - Catalog

I have images in each of the subfolders of the root folder.  There is an
acl_users folder in root as well as in Folder 2.1.  The Catalog contains
references to each of the image objects in each folder.

If I log in as a user that has access to the Root Folder, all is well.
However, when I log in as a user that is listed in the acl_users folder
contained in Folder 2.1, catalog searches are getting fouled up.  When I
search the catalog on a text index and check each object to see if the
AUTHENTICATED_USER has the 'View' permission, I am getting several results
in the result set that shouldn't appear.  Only the images that match the
search AND appear in Folder 2.1 should be returned for all the users listed
in Folder 2.1's acl_users but I am getting back images in other folders as
well.

My permissions are set up to allow 'View' access only to 'Authenticated'
users.  I am searching the catalog with the following python script:

--------------------
request = container.REQUEST
RESPONSE =  request.RESPONSE

keywordFields = ('title', 'desc')

docList = {}


if keyword != None and keyword.strip() != "":
   for field in keywordFields :
      for item in context.photoCatalog({field : keyword}) :
         if request['AUTHENTICATED_USER'].has_permission('View', item) :
            docList[item.id] = item

   #convert to list
   docList = docList.values()

return docList
----------------------

The line that calls has_permission is returning 1 for pictures outside of
the folder in which the user is defined.  However, when I render the results
page from the docList variable, the images are correctly shown as
inaccessible to this user and the login dialog box is displayed.  What I'm
trying to do is avoid this login by confining result items to those that are
viewable by the currently logged in user.

Anyone have any ideas as to why this is happening?

Kevin