[Zope] Re: Anonymous users can download files stored in a
restricted folder
Tres Seaver
tseaver at zope.com
Mon Apr 11 09:57:33 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Barbara Harris wrote:
> Is it possible to restrict access to the file download function by
> setting permissions on the folder containing a published file?
>
> In a Zope 2.6.4 CMF site, running on Apache, I have removed anonymous
> access from a portal folder (the restricted folder) and published
> documents and files in that folder. If a document elsewhere on the site
> contains a hyper link to a DOCUMENT in the restricted folder, anonymous
> users are prompted to login to the site when they select the link - this
> is what I want. However, a hyper link to a FILE published in the
> restricted folder triggers the Windows file download window and allows
> an anonymous user to download the file.
Zope's security model, by design, allows objects to be published even if
the container cannot be; therefore you need to ensure that the object
itself does not become viewable by anonymous.
You likely need to modify the "Security" tab on the "published" state in
your workflow to prevent granting "View" permission to "Anonymous". You
probably want it to have the "Acquire?" flag turned on, instead.
Tres.
- --
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCWoJNGqWXf00rNCgRApfMAJ9/F3dVBzALa6cSd/EKALqURxlHfwCfaeD5
8Dw09zY/hgXQj0k/IHT4ISM=
=GWRr
-----END PGP SIGNATURE-----
More information about the Zope
mailing list