[Zope] Security Question

[Jonathan Bryant]

Hi all,

I have a question about security and users in Zope.

I'm trying to set up a system where a user sees the list of subfolders in a 
folder. The problem is that the user can only see those subfolders that 
he/she has access to.

I've tried a number of different methods but none seem to work, specifically 
using

AUTHENTICATED_USER.has_permission('View', MySubfolder)

Let's say I have a folder called projects:

projects/ (User 'Bill' role='View_Only')
   /project1 (User 'Bill' role='Manager')
   /project2 (User 'Bill' no role specified)


Using the following dtml method I can get Bill's roles in each folder:

<dtml-in "AUTHENTICATED_USER.getRoles()">
  <dtml-var sequence-item>
</dtml-in>


So far so good, in the 'projects' folder I get:

>>View_Only
>>Authenticated

And in the project1 folder I get

>>Manager
>>Authenticated

Looks good, except that when I call my method from above FROM the projects 
folder Using the following code:

<dtml-in expr="objectValues(['Folder'])">
  <dtml-var title><br>
  <dtml-var roles>
</dtml-in>

I get the following input

>>project1
>>View_only
>>Authenticated
>>
>>project2
>>View_only
>>Authenticated

The roles for project2 makes sense since Bill inherits his role there from 
the parent folder. What I don't understand is why Bill's role of 'Manager' 
is unrecognized in folder 'project1'

Thanks in advance,

Jon Bryant

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com