[Zope] Security: showing link in list but not allowing to click without
authorization
Ben Chapman
benjamin-chapman@utulsa.edu
Tue, 17 Jun 2003 11:00:18 -0500
Group:
We're using Zope 2.6.1 and create a menu in our standad_html_header by
doing something like this:
<dtml-in expr="ObjectTypes(['Folder','Ordered Folder'])"
skip_unauthorized>
<a href=...><dtml-var title></a><br>
</dtml-in>
The structure is something like this:
ROOT
standard_html_header
...
standard_html_footer
library (Folder)
- public 1
- public 2
- staff_only
One of the folders is a 'staff-only' folder. We would like it to appear
in the list, but we would like to force the user to authenticate when
they click on the link. So, we defined a user, 'viewer' that has exactly
the same privileges as 'anonymous' and then gave our
standard_html_header document the proxy role of 'viewer'. Then we
removed the view permission and access contents permission from
anonymous within the staff_only folder. This appears to work as expected.
Here's my real question: why did we have to go through this? From
reading the zope book, etc., you would think that all you had to do was
to remove the view permission from the staff_only folder. Is it because
the standard_html_header is acquired from the root folder and so brings
with it security information?
--
Benjamin J. Chapman benjamin-chapman@utulsa.edu 918/631-2405
Director of Computing Resources TU College of Law
http://www.utulsa.edu/law/support/
Send computing support requests to: support@mail.law.utulsa.edu