[Zope] Re: Anonymous users can download files stored in a restricted folder

[Tres Seaver]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Barbara Harris wrote:
> Is it possible to restrict access to the file download function by
> setting permissions on the folder containing a published file?
> 
> In a Zope 2.6.4 CMF site, running on Apache, I have removed anonymous
> access from a portal folder (the restricted folder) and published
> documents and files in that folder.  If a document elsewhere on the site
> contains a hyper link to a DOCUMENT in the restricted folder, anonymous
> users are prompted to login to the site when they select the link - this
> is what I want.  However, a hyper link to a FILE published in the
> restricted folder triggers the Windows file download window and allows
> an anonymous user to download the file.  

Zope's security model, by design, allows objects to be published even if
the container cannot be;  therefore you need to ensure that the object
itself does not become viewable by anonymous.

You likely need to modify the "Security" tab on the "published" state in
your workflow to prevent granting "View" permission to "Anonymous".  You
probably want it to have the "Acquire?" flag turned on, instead.


Tres.
- --
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWoJNGqWXf00rNCgRApfMAJ9/F3dVBzALa6cSd/EKALqURxlHfwCfaeD5
8Dw09zY/hgXQj0k/IHT4ISM=
=GWRr
-----END PGP SIGNATURE-----