[Zope] Acquisition of the View permission
Caleb Land
bokonon@rochester.rr.com
Tue, 4 Mar 2003 17:39:12 -0500
On Tue, Mar 04, 2003 at 04:34:01PM -0500, Caleb Land wrote:
> Hello,
>
> I am having trouble with folders and the view permission. Say I have a layout
> like:
>
> Users +
> |--index_html
> |--caleb +
> | |--Folder 1
> |
> |--brian +
> |--Folder 2
>
> Now, let's say that user 'caleb' owns the caleb folder, and user 'brian' owns
> the brian folder. If I set Folder 1 to be View'ed by owner/manager and without
> acquisition, shouldn't someone logged in as 'brian' be forbidden to see:
>
> /Users/caleb/Folder 1/
>
> even if index_html is able to be View'ed by Anonymous? (because of the context
> it's being called from)
I just re-read the Zope Book chapter on security, and I think I know what's
wrong. The index_html ZPT is executing with the permissions of the ZPT itself,
right?
If that's the case, then what would be a good way to achieve my original goal?
(restricting access to an acquired source based on context (in this case
index_html))
Sincerely,
Caleb Land
(bokonon@rochester.rr.com)